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Independent Orbiter Assessment 
FMEA/CIL Assessment Interim Report 


1.0 EXECUTIVE SUMMARY 

The McDonnell Douglas Astronautics Company (MDAC) was selected in 
June 1986 to perform an Independent Orbiter Assessment (IOA) of 
the Failure Modes and Effects Analysis (FMEA) and Critical Items 
List (CIL) . Direction was given by the Orbiter and GFE Projects 
Office to perform the hardware analysis and assessment using the 
instructions and ground rules defined in NSTS 22206. Instructions 
for Preparation of FMEA and CIL. 

The IOA analysis features a top-down approach to determine 
hardware failure modes, criticality, and potential critical 
items. To preserve independence, the analysis was accomplished 
without reliance upon the results contained within the NASA and 
prime contractor FMEA/CIL documentation. The assessment process 
compares the independently derived failure modes and criticality 
assignments to the proposed NASA post 51-L FMEA/CIL 
documentation. When possible, assessment issues are discussed 
and resolved with the NASA subsystem managers. Unresolved issues 
are elevated to the Orbiter and GFE Projects Office manager, 
Configuration Control Board (CCB) , or Program Requirements 
Control Board (PRCB) for further resolution. An issue generally 
refers to a disagreement between the NASA FMEA/CIL and the IOA 
failure mode analysis results. This process was reviewed twice 
by the National Research Council, Shuttle Criticality Review and 
Hazard Analysis Audit Committee, and was concluded to be 
acceptable. 

As a result of the programmatic requirement to end the IOA task 
in March 1988, the FMEA/CIL baseline under review was "frozen" as 
of 1 January 1988. This date allowed for the majority of 
subsystems to be assessed based upon the proposed post 51-L NASA 
FMEA/CIL documentation presented to either the CCB or PRCB. 
However, for those subsystems where the NASA post 51-L FMEA/CIL 
reviews were still in progress, the assessment used unofficial 
FMEA/CIL data provided by the subsystem managers or whatever 
documentation that was available as of 1 January 1988. 

The assessment results for each subsystem have been documented in 
separate assessment reports (Section 6.0 References), and 
summaries are provided in Appendix C. Table 1-1 presents an 
overview of the NASA FMEA/CIL documentation assessed, the IOA 
recommended baseline, and unresolved issues, and Table 1-2 
presents the status of CIL issues. A total of 3,193 total FMEA 
issues and 1,586 CIL issues remain to be resolved. Many issues 
are, however, "paper" issues attributed to the lack of updated 
FMEA/CIL documentation, or arise because of the lack of adequate 
time to pursue resolution with the subsystem managers (a time 
consuming process) . Due to these reasons, the actual FMEA/CIL 
documentation should be in far better shape than these numbers 
suggest . 
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Some of the Orbiter FMEA/CIL assessment issues are attributed to 
differences in interpreting NSTS 22206 ground rules and 
instructions. For example, Rockwell occasionally used a very 
broad redundancy interpretation approach which caused more 1R and 
2R functional criticalities than IOA. It appears that the 
definition of redundancies was expanded to include unrelated 
multiple failures. IOA on the other hand, limited redundancy to 
failure items under study, which resulted in less severe 
functional criticalities. 

The most important Orbiter assessment finding was the previously 
unknown "stuck" autopilot push-button criticality 1/1 failure 
mode, having a worst case effect of loss of crew/vehicle when a 
microwave landing system is not active. Rockwell has been 
directed by the CCB to add the failure mode to the FMEA/CIL 
documentation and to implement a software change to bypass a 
stuck "Auto" switch. 

SPAR Aerospace conducted their Remote Manipulator System (RMS) 
failure mode analysis in a manner similar to IOA and consistent 
with NSTS 22206 . One major issue remains open affecting sixty- 
nine FMEA/CIL items. The issue concerns uncommanded motion of 
the arm while the arm is within two feet of the Orbiter, payload, 
or a suited crewman. Arm malfunction detection software cannot 
guarantee that the arm will be stopped in time to prevent impact 
when within the two feet envelope. To be technically correct and 
totally in agreement with NSTS 22206 . IOA recommends that 
uncommanded motion failure modes be assigned a worst case effect 
criticality of 1/1. Currently, the criticality assignments are 
2/1R. 

The Extra Vehicular Maneuvering Unit (EMU) FMEA/CIL documentation 
prepared by Hamilton Standard followed NSTS 22206 ground rules 
and was in general agreement with IOA. Assessment of the Manned 
Maneuvering Unit (MMU) was to an old FMEA/CIL baseline due to 
NASA rescheduling their review to a later date. 

In summary, the resolution of the remaining CIL issues is being 
pursued to finalize and resolve those with possible safety 
implications. 
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TABLE 1-1 

FMEA/C1L ASSESSMENT OVERVIEW (INTERIM) 



Fuel Cell Powerplant(FCP) 


Hydraulic Actuators (HA) 


Displays and Control (D&C) 


Guidance, Navigation & Control (GN&C) 


Orbiter Experiments (OEX) 


Auxiliary Power Unit (APU) 


Backup Flight System (BFS) 


Electrical Power, Distribution & Control 
(EPD&C) 


Landing & Deceleration (L&D) 


Purge, Vent and Drain (PV&D) 


Pyrotechnics (PYRO) 


Active Thermal Control System (ATCS) and Life 
Support System (LSS) 


Crew Equipment (CE) 


Instrumentation (INST) 


Data Processing System (DPS) 


Atmospheric Revitalization Pressure Control 
System (ARPCS) 


Hydraulics & Water Spray 8oiler(HYD & WSB) 


Mechanical Actuation System (MAS) 


Manned Maneuvering Unit (MMU) 


Nose Wheel Steering (NWS) 


Remote Manipulator System (RMS) 


Atmospheric Revitalization System (ARS) 


Extravehicular Mobility Unit (EMU) 


Power Reactant Supply & Distribution System 
(PRS&D) 


Main Propulsion System (MPS) 


Orbital Maneuvering System (OMS) 


Reaction Control System (RCS) 


Comm and Tracking (C&T) 


Total as of 1 January 1988 



10735 9077 
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TABLE 1-2 

CIL ISSUE STATUS (INTERIM) 



IOA CIL 

Accepted 

Withdrawn 

Total 

SUBSYSTEM 

Issues 

By 

NASA 

By 

MDAC 

Remaining 

Open 


Fuel Cell Powerplant (FCP) 110 0 

Hydraulic Actuators (HA) 17 15 0 



Fuel Cell Powerplant (FCP) 
Hydraulic Actuators (HA) 


0 


17 


15 


M 


Displays and Control (D&C) 

Guidance, Navigation & Control (GN&C) 


0 


[#J 


r»j 


0 


0 


w 


Orbiter Experiments (OEX) 


0 


Auxiliary Power Unit (APU) 


25 


21 


0 


fi\ 


Backup Flight System (BFS) 

12 

12 

0 

0 

Electrical Power, Distribution & Control (EPD&C) 

0 

0 

0 

0 

Landing & Deceleration (L&D) 

51 

0 

0 

51 

Purge, Vent and Drain (PV&D) 

3 

0 

0 

3 

Pyrotechnics (PYRO) 

4 

0 

0 

4 

Active Thermal Control System (ATCS) and Life 
Support System (LSS) 

141 

0 

0 

141 

Crew Equipment (CE) 

4 

0 

0 

4 


Instrumentation (INST) | 5 | 0 | 0 | 5 


Data Processing System (DPS) 

2 

2 

0 

2 

Atmospheric Revitalization Pressure Control 
System (ARPCS) 

48 

0 

0 

48 

Hydraulics & Water Spray Boiler (HYD & WSB) 

23 

0 

0 

23 

Mechanical Actuation System (MAS) 

310 

0 

0 

310 

Manned Maneuvering Unit (MMU) 

92 

0 

0 

92 

Nose Wheel Steering (NWS) 

9 

0 

0 

9 

Remote Manipulator System (RMS) 

74 

0 

0 

74 

Atmospheric Revitalization System (ARS) 

36 

0 

0 

36 

Extravehicular Mobility Unit (EMU) 

40 

0 

0 

40 

Power Reactant Supply & Distribution System 
(PRS&D) 

9 

0 

0 

9 

Main Propulsion System (MPS) 

191 

0 

0 

191 

Orbital Maneuvering System (OMS) 

60 

0 

0 

60 

Reaction Control System (RCS) 

241 

0 

0 

241 

Comm and Tracking (C&T) 

294 

0 

0 

294 


1693 21 37 1637 


Totals 






































































































































2 . 0 INTRODUCTION 


The 51-L Challenger accident prompted NASA to readdress safety 
policies, concepts, and rationale being used in the National 
Space Transportation System (NSTS) . The NSTS Office has 
undertaken the task of reevaluating the FMEA/CIL for the Space 
Shuttle design. MDAC is providing an independent assessment of 
the proposed post 51-L orbiter FMEA/CIL for completeness and 
technical accuracy. 

The MDAC was initially tasked in June 1986 to conduct an 
independent analysis and assessment on twenty subsystems. 
Subsequently, in April 1987 the additional eight subsystems were 
also added which provided complete coverage of all the Orbiter 
subsystems. Table 2-1 provides a listing of the Orbiter and GFE 
subsystems identified by NASA to the National Research Council, 
Shuttle Criticality Review and Hazard Analysis Audit Committee. 

The IOA analysis approach is summarized in the following steps 

1.0 through 3.0. Step 4.0 summarizes the assessment of the NASA 
and Prime Contractor FMEA/CIL. 

Step 1.0 Subsystem Familiarization 

1.1 Define subsystem functions 

1.2 Define subsystem components 

1.3 Define subsystem specific ground miles and assumptions 

Step 2.0 Define Subsystem Analysis Diagram 

2.1 Define subsystem 

2.2 Define major assemblies 

2 . 3 Develop detailed subsystem representations 

Step 3.0 Failure Events Definition 

3 . 1 Construct matrix of failure modes 

3.2 Document IOA analysis results 

Step 4.0 Compare IOA Analysis Data to NASA FMEA/CIL 

4.1 Resolve differences 

4 . 2 Review in-house 

4 . 3 Document assessment issues 

4.4 Forward findings to Project Manager 

As a result of the preceding steps, general project assumptions 
and ground rules (Appendix B) were developed to amplify and 
clarify instructions in NSTS 22206 . Also, subsystem specific 
assumptions and ground rules were defined as appropriate for the 
subsystems. These assumptions and ground rules are presented in 
each individual subsystem report. 
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Table 2-1 


ORBITER and GFE SUBSYSTEMS 


ORIGINAL TWENTY SUBSYSTEMS (JUNE 1986) 

o Guidance, Navigation & Control 
o Data Processing System (DPS) 
o Backup Flight System (BFS) 
o Nose Wheel Steering (NWS) 
o Instrumentation (INST) 

o Electrical Power, Distribution & Control (EPD&C) 
o Main Propulsion System (MPS) 
o Fuel Cell Powerplant (FCP) 

o Power Reactant Supply & Distribution System (PRS&D) 
o Orbital Maneuvering System (OMS) 
o Reaction Control System (RCS) 
o Auxiliary Power Unit (APU) 

o Hydraulics & Water Spray Boiler (HYD & WSB) 
o Atmospheric Revitalization System (ARS) 
o Atmospheric Revitalization Pressure Control System 
(ARPCS) 

o Extravehicular Mobility Unit (EMU) 
o Manned Maneuvering Unit (MMU) 
o Landing & Deceleration (L&D) 
o Hydraulic Actuators (HA) 
o Remote Manipulator System (RMS) 


ADDITIONAL EIGHT SUBSYSTEMS (APRIL 1987) 

o Communication and Tracking (C&T) 
o Displays and Control (D&C) 
o Orbiter Experiments (OEX) 
o Pyrotechnics (PYRO) 
o Purge, Vent and Drain (PV&D) 
o Mechanical Actuation System (MAS) 

o Active Thermal Control System (ATCS) , Life Support 
System (LSS) , and Airlock Support System (ALSS) 
o Crew Equipment (CE) 
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3 . 0 RESULTS 


The IOA task was accomplished in three phases; namely a review of 
both the NSTS 22206 and RI 100-2G FMEA/CIL Desk Instructions , 
an independent subsystem failure modes analysis, and an 
independent assessment of the NASA and Prime Contractor FMEA/CIL 
documentation. The NSTS 22206 and RI 100-2G documents were first 
reviewed and evaluated to determine if any omissions and 
ambiguities existed that impeded the preparation process or 
prevented the surfacing of major technical issues. This task was 
completed and a report was published in October 1986 (Reference 
1) . Many of the recommendations have been incorporated in 
subsequent versions of NSTS 22206 . 

The independent failure mode analysis process used available 
subsystem drawings and schematics, documentation, and procedures. 
Each of the twenty-eight subsystems was broken down into lower 
level assemblies and individual hardware components using block 
diagrams. Each component was then evaluated and analyzed for 
credible failure modes and effects. Criticalities were assigned 
based on the worst possible effect of each failure mode 
consistent with the NSTS 22206 . And to preserve independence, 
the analysis was accomplished without reliance upon the results 
contained within the NASA FMEA/CIL documentation. The 
independent analysis of the twenty-eight subsystems was completed 
and published in separate analysis reports (see Section 6.0 
References) . 

The final phase of the IOA task was to provide an independent 
assessment of the NASA and Prime Contractor post 51-L FMEA/CIL 
results for completeness and technical accuracy. This process 
compared the independently derived analysis results to the 
proposed NASA post 51-L FMEA/CIL, and investigated any 
significant discrepancies. 

The IOA assessment process resulted in a total of 10,735 FMEAs and 
4,482 potential critical items, which resulted in a total of 
3,193 FMEA issues and 1,586 CIL issues after being compared with 
the proposed NASA FMEA/CIL data. An issue generally refers to a 
disagreement between the IOA and NASA FMEA/CIL results. The 
assessment results were fully documented in separate assessment 
reports (Section 6.0 References), and some of the major issues 
are briefly discussed in Appendix C for each subsystem. Appendix 
D provides a comparison of IOA recommended CIL items and Rockwell 
CIL packages. 

The most significant Orbiter assessment issue was uncovered by 
the Nose Wheel Steering (NWS) subsystem assessment team. The 
failure mode was a "stuck" autopilot push-button causing the 
worst case effect of loss of crew/vehicle (criticality 1/1) . The 
Orbiter autopilot is used for entry, and manually disengaged 
before landing. The autopilot is engaged by "Roll/Yaw Auto" and 
"Pitch Auto" push-button indicators (PBIs) . If either "Auto" PBI 
fails closed, the autopilot cannot be permanently disengaged. 

With the autopilot remaining engaged, the Orbiter will attempt to 
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"Autoland" , which requires a Microwave Landing System (MLS) on 
the ground. MLS is not required for day landings, and has not 
been "available" for four of the last seven STS missions. 

Without the MLS, use of the autoland alone will cause the Orbiter 
to miss the runway. A single point failure with no redundancy 
and which threatens loss of crew/vehicle is categorized by NSTS 
22206 as a "criticality 1" item. Rockwell is adding the failure 
mode to the FMEA/CIL baseline and developing a software change to 
bypass a failed "Auto" switch. 

SPAR Aerospace prepared their RMS FMEAs in a manner similar to 
IOA and consistent with NSTS 22206 . The only major difference 
is one issue which could not be resolved with the subsystem 
manager. This issue is the use of software routines as unlike 
redundancy to downgrade the criticalities on FMEAs. The failure 
mode was uncommanded arm motion. The failure effect is RMS arm 
impact with the Orbiter, payload, or suited astronauts. Standard 
arm operation such as berthing/unberthing, grappling, payload 
deployment and retrieval, requires the arm to approach the 
Orbiter or payload closer than two feet. Any malfunction 
resulting in uncommanded motion while the arm is within this two 
foot envelope presents the possibility of impact with the 
Orbiter. Arm malfunction detection software routines or operator 
action cannot guarantee that the arm can be stopped in time to 
prevent impact. The software design specification is to stop the 
arm within a stopping distance of two feet. Consequently, the 
IOA recommendation is that the sixty-nine uncommanded arm motion 
failure modes be upgraded from criticality 2/1R to 1/1. This 
issue has gone before the CCB, but has not been presented to the 
PRCB. 
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4.0 


GENERAL CONCLUSIONS AND OBSERVATIONS 


The number of open issues associated with the subsystem FMEA/CIL 
assessment is identified and presented in Table 1-1. Some of 
these issues may be attributed to the lack of updated FMEA/CIL 
data not being received by 1 January 1988 in order to adequately 
assess the assigned criticalities. Further, due to the 
programmatic requirement to end the IOA task in the March 1988 
timeframe, adequate time was not always available to resolve 
credible issues with the subsystem manager (a time consuming 
process) . Consequently, these issues remain for later 
resolution. All issues are fully discussed for each subsystem in 
separate assessment reports. The following paragraphs briefly 
discuss some of the difficulties and observations encountered 
during the IOA study period: 


A. Late and Incomplete FMEA/CIL Documentation - Due to some 

NASA/RI FMEA/CIL reviews extending past 1 January 1988, IOA 
was not always able to assess the most current FMEA/CIL 
baseline and consequently did not resolve the relevant issues 
with subsystem managers. For example, the Main Propulsion 
System (MPS) and Communication and Tracking Subsystems are 
still in the review process as of 9 March 1988. Many other 
subsystems have only updated the CILs, and FMEAs that are not 
CIL items are to be updated at a later date, e.g., Atmospheric 
Revitalization Subsystem and Display and Control Subsystem. 


B. Ground Rules Interpretation - As a result of ambiguous 

language used in NSTS 22206 . many disagreements were noted 
analyzing hardware failure modes. Some of the major sources 
of confusion are discussed briefly below for like and unlike 
redundancies, redundancy screens, emergency systems, and crew 
action and its impact on deriving criticalities. 

a. Like and Unlike Redundancy - The interpretation of like 
and unlike redundant items and definition of a hardware 
item function are not clearly defined; however, their 
impact in assigning functional criticality is significant. 
A broad interpretation creates more 1R and 2R functional 
criticalities. And most importantly, the discussion of 
parallel functional paths is not adequate to clarify 
redundancies. Two examples are discussed belowL 

Example 1 - One of the single most important difficulties 
encountered during the assessment of the NASA/Rockwell 
data was the utilization of multiple scenarios in 
assigning functional criticalities. In such cases, the 
Rockwell approach seemed to investigate the redundancies 
to the effect of the failure of the item under study 
instead of redundancies to the item. For example, 
failure of the fill and drain Quick Disconnect (QD) and 
the drain cap on the supply water system was tied to the 
failure of the radiators and ammonia boiler systems in 
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the active thermal control system. This was apparently 
done since loss of the flash evaporator system was seen 
as an effect of the failure under study which would 
therefore be a redundant leg to the radiators and ammonia 
boiler systems. In these cases, the functional 
criticalities were assigned for potential loss of 
life/vehicle. IOA interpretation is to make the QD and 
the drain cap redundant to each other and then investigate 
the functional loss (flash evaporator system) arising from 
loss of these redundancies. In this manner, only a 
potential for worst case loss of mission was anticipated 
by IOA instead of loss of crew/vehicle. 

Example 2 - In certain cases, the Rockwell analysis used 
failure of another item to be the cause for the failure 
of the item under study. This approach assumes a failure 
is already in progress which is contrary to the hardware 
criticality requirements stated in the NSTS 22206 . Under 
the hardware criticality requirements only singular 
direct effect of the identified failure mode of a 
hardware item is to be investigated. 


b. Redundancy Screens - Language such as "...capable of check 
out..." for Screen A, and " — from a single credible 
event..." for Screen C are left for a lot of conjecture on 
the part of an analyst. Further, the objectives for 
complying with the screens are not sufficiently defined 
in order to adequately cover them. 


c. Emergency Systems - The definition of the emergency 
systems excludes hardware items which are used during 
nominal mission phases and any intact abort cases. 

For example, the Launch Entry Helmet oxygen supply panel 
and the Airlock Support System were assigned emergency 
status by the subsystem managers. This created a very 
conservative approach open to personal feelings and not 
consistent with the NSTS 22206. 


d. Crew Action - Crew action in response to a failure is not 
clear when assigning hardware criticality as opposed to 
functional criticality. Also, off-nominal versus nominal 
versus contingency crew actions are used interchangeably 
throughout the NSTS 22206 creating confusion. 
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5 . 0 RECOMMENDATIONS 


Based upon the assessment results and independent study of the 
twenty-eight subsystems, the following recommendations are drawn: 


A. Consideration should be given to resolving all of the issues 
identified by IOA to ensure that no item remains with 
possible safety implications. 


B. The unassociated multiple failure scenarios and failures 

already in progress as used by Rockwell should be evaluated, 
since they create a very broad and conservative methodology 
to the FMEA/CIL process. This approach may reduce visibility 
into failure modes and effects for some particular items, 
since the majority of the functional criticality 2s and 3s 
are replaced by IRs and 2Rs respectively. 


C. Consideration should be given in improving NSTS 22206 to 
eliminate sources of ambiguities. The document should be 
rearranged to provide step-by-step procedures and 
instructions for conducting hardware analysis. This would 
reduce guess work and eliminate differences in philosophy 
used from one subsystem to another. More specifically, the 
related topics with redundancies (criticality, screens, 
like/unlike. .. etc) should be further expanded to ensure 
consistent application of methodology and criticality 
assignments. 

D. Adequate coordination and interface should be established 
between analysis subsystems to eliminate duplication of 
effort in interfacing subsystems, and to ensure complete 
coverage of all hardware items. 
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ACRONYMS 


ABS 

ACA 

ACIP 

ADI 

ADP 

ADS 

ADTA 

ALCA 

AMCA 

AOA 

AOS 

APC 

APU 

ARCS 

ARPCS 

ARS 

ASA 

ATCS 

ATO 

ATVC 

B&AS 

BF 

BFC 

BFS 

BITE 

C&W 

CCB 

CCC 

CCTV 

CCU 

CIL 

CIU 

CNTLR 

COAS 

COMM 

CPU 

CRIT 

CWS 

D&C 

DAP 

DCM 

DCN 

DDU 

DEU 

DFI 

DHE 

DMA 

DOD 

DPS 

DSC 


- Ammonia Boiler System 

- Annunciator Control Assembly 

- Aerodynamic Coefficient Instrumentation Package 

- Attitude Direction Indicator 

- Air Data Probe 

- Audio Distribution System 

- Air Data Transducer Assembly 

- Aft Load Control Assembly 

- Aft Motor Control Assembly 

- Abort-Once-Around 

- Acquisition of Signal 

- Aft Power Controller 

- Auxiliary Power Unit 

- Aft Reaction Control System (Subsystem) 

- Atmospheric Revitalization Pressure Control System 

- Atmospheric Revitalization System 

- Aerosurface Servo Amplifier 

- Active Thermal Control Subsystem 

- Abort-To-Orbit 

- Ascent Thrust Vector Control 

- Brakes and Antiskid 

- Body Flap 

- Backup Flight Control 

- Backup Flight System 

- Built-In Test Equipment 

- Caution and Warning 

- Change Control Board 

- Contaminant Control Cartridge 

- Closed-Circuit Television 

- Crew Communications Umbilical 

- Critical Items List 

- Communications Interface Unit 

- Controller 

- Crew Optical Alignment Sight 

- Communication 

- Central Processing Unit 

- Criticality 

- Caution and Warning System 

- Displays and Controls 

- Digital Autopilot 

- Display and Control Module 

- Document Change Notice 

- Display Driver Unit 

- Display Electronic Unit 

- Development Flight Instrumentation 

- Data-Handling Electronics 

- Deployed Mechanical Assembly 

- Department of Defense 

- Data Processing System (Subsystem) 

- Dedicated Signal Conditioner 
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ACRONYMS 


ABS 

ACA 

ACIP 

ADI 

ADP 

ADS 

ADTA 

ALCA 

AMCA 

AOA 

AOS 

APC 

APU 

ARCS 

ARPCS 

ARS 

ASA 

ATCS 

ATO 

ATVC 

B&AS 

BF 

BFC 

BFS 

BITE 

C&W 

CCB 

CCC 

CCTV 

CCU 

CIL 

CIU 

CNTLR 

COAS 

COMM 

CPU 

CRIT 

CWS 

D&C 

DAP 

DCM 

DCN 

DDU 

DEU 

DFI 

DHE 

DMA 

DOD 

DPS 

DSC 


- Ammonia Boiler System 

- Annunciator Control Assembly 

- Aerodynamic Coefficient Instrumentation Package 

- Attitude Direction Indicator 

- Air Data Probe 

- Audio Distribution System 

- Air Data Transducer Assembly 

- Aft Load Control Assembly 

- Aft Motor Control Assembly 

- Abort-Once-Around 

- Acquisition of Signal 

- Aft Power Controller 

- Auxiliary Power Unit 

- Aft Reaction Control System (Subsystem) 

- Atmospheric Revitalization Pressure Control System 

- Atmospheric Revitalization System 

- Aerosurface Servo Amplifier 

- Active Thermal Control Subsystem 

- Abort-To-Orbit 

- Ascent Thrust Vector Control 

- Brakes and Antiskid 

- Body Flap 

- Backup Flight Control 

- Backup Flight System 

- Built-In Test Equipment 

- Caution and Warning 

- Change Control Board 

- Contaminant Control Cartridge 

- Closed-Circuit Television 

- Crew Communications Umbilical 

- Critical Items List 

- Communications Interface Unit 

- Controller 

- Crew Optical Alignment Sight 

- Communication 

- Central Processing Unit 

- Criticality 

- Caution and Warning System 

- Displays and Controls 

- Digital Autopilot 

- Display and Control Module 

- Document Change Notice 

- Display Driver Unit 

- Display Electronic Unit 

- Development Flight Instrumentation 

- Data-Handling Electronics 

- Deployed Mechanical Assembly 

- Department of Defense 

- Data Processing System (Subsystem) 

- Dedicated Signal Conditioner 
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ACRONYMS 


ECLSS 

El 

EIU 

EMU 

EPA 

EPDC 

EPG 

EPS 

ET 

EVA 

EVCS 

FC 

FCA 

FCL 

FCOS 

FCP 

FCS 

FDA 

FDM 

FES 

FFSSO 

FLCA 

FM 

FMCA 

FMD 

FMEA 

FPC 

FRCS 

FSM 

FSS 

FSSR 

FSW 

GAS 

GFE 

GMT 

GNC 

GPC 

GSE 

GSTDN 

HDC 

HEX 

HIRAP 

HIU 

HPFTP 

HPOT 

HUT 

HW 

HX 

HYD 


- Environmental Control and Life Support System (Subsystem) 

- Entry Interface 

- Engine Interface Unit 

- Extravehicular Mobility Unit 

- Environmental Protection Agency 

- Electrical Power, Distribution and Control 

- Electrical Power Generator 

- Electrical Power System 

- External Tank 

- Extravehicular Activity 

- Extravehicular Communications System 

- Fuel Cell 

- Flow Control Assembly 

- Freon Coolant Loop 

- Flight Control Operating System 

- Fuel Cell Power (Plant) 

- Flight Control System 

- Fault Detection and Annunciation 

- Frequency Division Multiplexing 

- Flash Evaporator System 

- Forward Fuselage Support System for OEX 

- Forward Load Control Assembly 

- Failure Mode 

- Forward Motor Control Assembly 

- Frequency Division Multiplexer 

- Failure Modes and Effects Analysis 

- Forward Power Controller 

- Forward Reaction Control System (Subsystem) 

- Fault Summary Message 

- Flight Support Structure 

- Flight Systems Software Requirements 

- Flight Software 

- Get-Away Special 

- Government Furnished Equipment 

- Greenwich Mean Time 

- Guidance, Navigation, and Control 

- General Purpose Computer 

- Ground Support Equipment 

- Ground Spaceflight Tracking and Data Netowrk 

- Hybrid Driver Controller 

- Heat Exchanger 

- High-Resolution Accelerometer Package 

- Headset Interface Unit 

- High-Pressure Fuel Turbopump 

- High-Pressure Oxidizer Turbopump 

- Hard Upper Torso 

- Hardware 

- Heat Exchanger 

- Hydraulics 
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ACRONYMS 


I CM 


Interface Control Module 

I CMS 

- 

Intercom Master Station 

I COM 


Intercommunications 

ICRS 

- 

Intercom Remote Station 

IFM 


In-Flight Maintenance 

IMU 

- 

Inertial Measurement Unit 

IOA 


Independent Orbiter Assessment 

IOM 

- 

Input/Output Module 

IUS 

- 

Inertial Upper Stage 

IVA 


Intravehicular Activity 

JSC 

- 

Johnson Space Center 

KBD 

- 

Ku-Band Deploy 

LCA 

- 

Load Controller Assembly 

LCC 

- 

Launch Control Center 

LCVG 


Liquid Cooling and Ventilation Garment 

LEH 

- 

Launch/Entry Helmet 

LNDG/DECEL 


Landing and Deceleration 

LPS 

- 

Launch Processing System 

LRU 

- 

Line Replaceable Unit 

LSS 

- 

Life Support Subsystem 

LTA 


Lower Torso Assembly 

MADS 

- 

Modular Auxiliary Data System 

MAS 

- 

Mechanical Actuation System 

MCA 

- 

Motor Control Assembly 

MCC 


Mission Control Center (JSC) 

MCDS 

- 

Multifunction CRT Display System 

MDAC 

— 

McDonnell Douglas Astronautics Company 

MDM 

- 

Multiplexer/ Demultiplexer 

MEC 

- 

Main Engine Controller 

MECO 

- 

Main Engine Cutoff 

MET 

- 

Mission Elapsed Time 

MGSSA 


Main Gear Shock Strut Assembly 

MIA 

- 

Multiplexer Interface Adapter 

MLG 

— 

Main Landing Gear 

MM 

- 

Major Mode 

MMU 

- 

Manned Maneuvering Unit 

MMU 

- 

Mass Memory Unit 

MPL 

- 

Minimum Power Level (65%) 

MPM 


Manipulator Positioning Mechanism 

MPS 

— 

Main Propulsion System (Subsystem) 

MS 

- 

Mission Specialist 

MSBLS 

- 

Microwave Scanning Beam Landing System 

MSK 


Manual Select Keyboard 

MTU 

- 

Master Timing Unit 

MUX 

- 

Multiplex 

NASA 

- 

National Aeronautics and Space Administration 

NGSSA 

- 

Nose Landing Gear Shock Strut Assembly 

NGTD 

- 

Nose Gear Touch Down 

NLG 


Nose Landing Gear 

NS I 

- 

NASA Standard Initiator 
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ACRONYMS 


NSP 

- 

Network Signal Processor 

NSTS 

- 

National Space Transportation System 

NWS 

- 

Nose-Wheel Steering 

OBS 

- 

Operational Bioinstrumentation System 

OEX 


Orbiter Experiments 

OI 

- 

Operational Instrumentation 

OMRSD 


Operational Maintenance Requirements & 
Specifications Document 

OMS 


Orbital Maneuvering System 

OTB 


Orbiter Timing Buffer 

OWDA 


Operational Water Dispenser Assembly 

P/L 


Payload 

PASS 

- 

Primary Avionics Software System 

PBI 

- 

Push-Button Indicator 

PBM 

- 

Payload Bay Mechanical 

PCA 


Power Control Assembly 

PCI 

- 

Potential Critical Item 

PCM 

- 

Pulse Code Modulation 

PCMMU 

- 

Pulse Code Modulation Master Unit 

PCN 


Page Change Notice 

PCS 

- 

Pressure Control System 

PDU 

- 

Power Drive Unit 

PFR 

- 

Portable Foot Restraint 

PHS 


Personal Hygene Station 

PI 

- 

Payload Interrogater 

PIC 


Pyro Initiator Controller 

PLB 

- 

Payload Bay 

PLBD 


Payload Bay Door 

PLS 

- 

Primary Landing Site 

PLSS 


Portable Life Support Subsystem 

PMS 

- 

Propellant Management Subsystem 

PRCB 

- 

Program Requirements Control Board 

PRCBD 

- 

Program Requirements Control Board Directive 

PRCS 

- 

Primary Reaction Control System (jet) 

PRD 

- 

Payload Retention Device 

PROM 

- 

Programmable Read-Only Memory 

PRSD 

- 

Power Reactant Storage and Distribution 

PRSDS 


Power Reactant Storage and Distribution System 

PSA 

- 

Power Section Assembly 

PSA 

- 

Provision Stowage Assembly 

PSP 

- 

Payload Signal Processor 

PTT 


Push-to-talk 

PV&D 

- 

Purge Vent & Drain 

QD 


Quick Disconnect 

R/BPA 

- 

Rudder/Pedal Brake Assembly 

RAM 


Random Access Memory 

RCS 

- 

Reaction Control System 

RFCA 

- 

Radiator and Flow Control Assembly 

RFI 


Radio Frequency Interference 

RGA 


Rate Gyro Assembly 
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ACRONYMS 


RHC 

RHS 

RI 

RJD 

RM 

RMS 

RPA 

RPC 

RPTA 

RSB 

RTD 

RTLS 

RTS 

RVDT 

SBTC 

SCB 

SCM 

SCU 

SCU 

SDM 

SEADS 

SFOM 

SFP 

SGLS 

SILTS 

SM 

SMM 

SOP 

SOS 

SPA 

SPFA 

SPI 

SRB 

SSA 

SSME 

SSMEC 

SSO 

SSSH 

ST 

STDN 

STS 

TACAN 

TAL 

TCS 

TD 

TDRS 

THC 

THC 

TPS 

TVC 




- Rotation Hand Controller 

- Rehydration Station 

- Rockwell International 

- Reaction Jet Driver 

- Redundancy Management 

- Remote Manipulator System 

- Ruder Pedal Assembly 

- Remote Power Controller 

- Rudder Pedal Transducer Assembly 

- Rudder Speed Brake 

- Resistance Temperature Device 

- Return-to-Launch Site 

- Remote Tracking Station 

- Rotary Variable Differential Transformer 

- Speed Brake Translation Controller 

- Steering Control Box 

- System Control Module 

- Sequence Control Unit 

- Service and Cooling Umbilical 

- Startracker Door Mechanism 

- Shuttle Entry Air Data System 

- Shuttle Flight Operations Manual 

- Single Failure Point 

- Space Ground Link System 

- Shuttle Infrared Leeside Temperature Sensor 

- Systems Management 

- Solar Maximum Mission 

- Secondary Oxygen Pack 

- Space Operations Simulator 

- Steering Position Amplifier 

- Single Point Failure Analysis 

- Surface Position Indicator 

- Solid Rocket Booster 

- Space Suit Assembly 

- Space Shuttle Main Engine 

- SSME Controller 

- Space Shuttle Orbiter 

- Space Shuttle Systems Handbook 

- Star Tracker 

- Spaceflight Tracking and Data Network 

- Space Transportation System 

- Tactical Air Navigation 

- Transatlantic Abort Landing 

- Thermal Control System (Subsystem) 

- Touch Down 

- Tracking and Data Relay Satellite 

- Thruster Hand Controller 

- Translation Hand Controller 

- Thermal Protection System 

- Thrust Vector Control 
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ACRONYMS 


UCD 

UEA 

UHF 

VDM 

VRCS 

WBSC 

WCCS 

weeu 

WMS 

WP 

WRS 

WSB 


Urine Collection Device 
Unitized Electrode Assembly 
Ultra High Frequency 
Vent Door Mechanism 

Vernier Reaction Control System (jet) 

Wide-Band Signal Conditioner 

Window Cavity Conditioning System 

Wireless Crew Communications Umbilical 

Waste Management System 

Working Paper 

Water Removal Subsystem 

Water Spray Boiler 
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APPENDIX B 

DEFINITIONS , GROUND RULES, AND ASSUMPTIONS 


B.l Definitions 

Definitions contained in NSTS 22206. Instructions For Preparation 
of FMEA/CIL. 10 October 1986 . were used with the following 
amplifications and additions. 

INTACT ABORT DEFINITIONS: 


RTLS - begins at transition to OPS 6 and ends at transition 
to OPS 9, post-flight 

TAL - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

AOA - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

ATO - begins at declaration of the abort and ends at 
transition to OPS 9, post-flight 

CREDIBLE (CAUSE) — an event that can be predicted or expected in 
anticipated operational environmental conditions. Excludes an 
event where multiple failures must first occur to result in 
environmental extremes 

CONTINGENCY CREW PROCEDURES — procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

EARLY MISSION TERMINATION - termination of onorbit phase prior to 
planned end of mission 

EFFECTS /RATIONALE - description of the case which generated the 
highest criticality 

HIGHEST CRITICALITY - the highest functional criticality 
determined in the phase-by-phase analysis 

MAJOR MODE (MM) - major sub-mode of software operational sequence 
(OPS) 

MC - Memory Configuration of Primary Avionics Software System 
(PASS) 

MISSION - assigned performance of a specific Orbiter flight with 
payload/ objective accomplishments including orbit phasing and 
altitude (excludes secondary payloads such as GAS cans, 
middeck P/L, etc.) 
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MULTIPLE ORDER FAILURE - describes the failure due to a single 
cause or event of all units which perform a necessary (critical) 
function 

OFF-NOMINAL CREW PROCEDURES - procedures that are utilized beyond 
the standard malfunction procedures, pocket checklists, and cue 
cards 

OPS - software operational sequence 

PRIMARY MISSION OBJECTIVES - worst case primary mission objec- 
tives are equal to mission objectives 

PHASE DEFINITIONS; 

PRE LAUNCH PHASE - begins at launch count-down Orbiter 
power-up and ends at moding to OPS Major Mode 102 (liftoff) 

LIFTOFF MISSION PHASE - begins at SRB ignition (MM 102) and 
ends at transition out of OPS 1 (Synonymous with ASCENT) 

ONORBIT PHASE - begins at transition to OPS 2 or OPS 8 and 
ends at transition out of OPS 2 or OPS 8 

DEORBIT PHASE - begins at transition to OPS Major Mode 
301 and ends at first main landing gear touchdown 

LANDING/SAFING PHASE - begins at first main gear 
touchdown and ends with the completion of post-landing 
safing operations 
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APPENDIX B 

DEFINITIONS, GROUND RULES, AND ASSUMPTIONS 


B. 2 IOA Project Level Ground Rules and Assumptions 

The philosophy embodied in NSTS 22206. Instructions for 
Preparation of FMEA/CIL. 10 October 1986 . was employed with the 
following amplifications and additions. 


1. The operational flight software is an accurate 
implementation of the Flight System Software Requirements 
(FSSRs) . 

RATIONALE: Software verification is out-of-scope of 
this task. 

2. After liftoff, any parameter which is monitored by system 
management (SM) or which drives any part of the Caution and 
Warning System (C&W) will support passage of Redundancy 
Screen B for its corresponding hardware item. 

RATIONALE: Analysis of on-board parameter availability 
and/or the actual monitoring by the crew 
is beyond the scope of this task. 

-3. Any data employed with flight software is assumed to be 
functional for the specific vehicle and specific mission 
being flown. 

RATIONALE: Mission data verification is out-of-scope of 
this task. 

4. All hardware (including firmware) is manufactured and 
assembled to the design specifications/drawings. 

RATIONALE: Acceptance and verification testing is 

designed to detect and identify problems 
before the item is approved for use. 

5. All Flight Data File crew procedures will be assumed 
performed as written, and will not include human error in 
their performance. 

RATIONALE: Failures caused by human operational error 
are out-of-scope of this task. 
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6 . 


All hardware analyses will, as a minimum, be performed at 
the level of analysis existent within NASA/Prime Contractor 
Orbiter FMEA/CILs, and will be permitted to go to greater 
hardware detail levels but not lesser. 

RATIONALE: Comparison of IOA analysis results with 

other analyses requires that both analyses 
be performed to a comparable level of 
detail . 

7. Verification that a telemetry parameter is actually 
monitored during AOS by ground-based personnel is not 
required. 

RATIONALE: Analysis of mission-dependent telemetry 

availability and/or the actual monitoring of 
applicable data by ground-based personnel is 
beyond the scope of this task. 

8. The determination of criticalities per phase is based on the 
worst case effect of a failure for the phase being analyzed. 
The failure can occur in the phase being analyzed or in 

any previous phase, whichever produces the worst case 
effects for the phase of interest. 

RATIONALE: Assigning phase criticalities ensures a 
thorough and complete analysis. 

9. Analysis of wire harnesses, cables, and electrical connectors 
• to determine if FMEAs are warranted will not be performed 

nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

10. Analysis of welds or brazed joints that cannot be inspected 
will not be performed nor FMEAs assessed. 

RATIONALE: Analysis was substantially complete prior 

to NSTS 22206 ground rule redirection. 

11. Emergency system or hardware will include burst discs and 
will exclude the EMU Secondary Oxygen Pack (SOP) , pressure 
relief valves and the landing gear pyrotechnics. 

RATIONALE: Clarify definition of emergency systems to 
ensure consistency throughout IOA project. 
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APPENDIX C 

SUBSYSTEM ASSESSMENT SUMMARIES 


Section 

Subsystem Asssessment Overview 

Paae 

C. 1 

Fuel Cell Powerplant 
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APPENDIX C 

SUBSYSTEM ASSESSMENT SUMMARIES 


The 10 A assessments proved a valuable method of ensuring the 
proper criticality level be assigned to each FMEA/CIL identified. 
In many cases the assigned criticality level was changed by the 
appropriate subsystem manager due to the IOA assessment. As a 
minimum, this assessment created a deeper awareness of the 
criticality level assigned and better rationale and understanding. 
Differences in interpretation and level of detail caused 
many of the issues generated, along with the lack of update 
NASA FMEA/CIL packages. Many issues remain which should be 
resolved by the Subsystem Managers. 


C. 1 Fuel Cell Powerolant 

The IOA analysis of the EPG/FCP hardware initially generated 62 
failure mode worksheets and identified 32 PCIs before starting 
the assessment process (See Fig. C.l). In order to facilitate 
comparison, 5 additional failure mode analysis worksheets were 
generated. These analysis results were compared to the proposed 
NASA Post 51-L baseline (22 May 1986) of 46 FMEAs and 22 CIL 
items and to the updated (22 December 1987) version of 43 FMEAs 
and 23 CILs. The discrepancy between the number of NASA FMEAs 
can be explained by the different approach used by NASA and IOA 
to group failure modes. Upon completion of the assessment, and 
after a discussion with the NASA Subsystem Manager, an agreement 
between the NASA FMEAs and IOA failure modes was reached. Seven 
(7) failure modes generated by the IOA analysis were added to 
the FMEAs; one being a criticality 2/1R CIL item. 

C. 2 Body Flap/Rudder Speedbrake/Elevon/ME ATVC/Actuations 

C.2.1 Body Flap Actuator 

The overview in Fig. C.2a is a summary of the Body Flap actuator 
assessment and presents a comparison of the Pre 51-L baseline 
and the proposed Post 51-L baseline, with the IOA recommended 
failures, and any issues. The main reason for differences was 
that NASA combined failures, whereas IOA prepared separate 
failure work-sheets. Minor differences such as fail or pass of 
screens were readily resolved. As the result of discussions with 
the Subsystem Manager and review of the updated FMEA/CIL, all 
initial issues were resolved and changes were made to the 
FMEA/CIL and IOA work-sheets. The overview further shows the 
comparison of failures of the major elements of the Body Flap 
actuators . 

The IOA effort first completed an analysis of the Body Flap (BF) 
hardware, generating draft failure modes and PCIs. To preserve 
independence, this analysis was accomplished without reliance upon 
the results contained within the NASA FMEA/CIL documentation. 
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The IOA analysis of the BF hardware initially generated 36 failure 
mode worksheets and identified 19 PCIs before starting the assess- 
ment process. In order to facilitate comparison, 7 additional 
failure mode analysis worksheets were generated. 

The IOA results were then compared to the NASA FMEA/CIL baseline 
with proposed Post 51-L updates included. A resolution of each 
discrepancy from the comparison was provided through additional 
analysis as required. Upon completion of the assessment, all of 
the IOA and NASA failure modes were in agreement. 


C.2.2 Rudder/Speedbrake Actuator 

The overview in Fig. C.2b is a summary of the RSB actuator 
assessment and presents a comparison of the Pre 51-L baseline 
and the proposed Post 51-L baseline, with the IOA recommended 
failures, and any issues. The main reason for differences was 
that NASA combined failures, whereas IOA prepared separate 
failure worksheets. Minor differences such as fail or pass of 
screens were readily resolved. As the result of discussions with 
the Subsystem Manager and review of the updated FMEA/CIL, all 
initial issues were resolved and changes were made to the 
FMEA/CIL and IOA worksheets. The overview further shows the 
comparison of failures of the major elements of the RSB 
actuators . 

The IOA effort first completed an analysis of the Rudder/Speed 
Brake (RSB) hardware, generating draft failure modes and PCIs. 

To preserve independence, this analysis was accomplished without 
reliance upon the results contained within the NASA FMEA/CIL 
documentation . 

The IOA analysis of the RSB hardware initially generated 38 
failure mode worksheets and identified 27 PCIs before starting 
the assessment process. No additional failure mode worksheets 
were generated during the comparison. The IOA results were 
then compared to the NASA FMEA/CIL baseline along with the 
proposed Post 51-L CIL updates included. A resolution of each 
discrepancy from the comparison was provided through additional 
analysis as required. Upon completion of the assessment, all 
of the IOA and NASA failure modes were in agreement. 


C.2.3 Elevon Actuator 

The overview in Fig. C.2c is a summary of the elevon actuator 
assessment and presents a comparison of the Pre 51-L baseline and 
the proposed Post 51-L baseline, with the IOA recommended 
failures, and any issues. The main reason for differences was 
that NASA combined failures, whereas IOA prepared separate 
failure worksheets. Minor differences such as fail or pass of 
screens were readily resolved. As the result of discussions with 
the Subsystem Manager and review of the updated FMEA/CIL all 
initial issues were resolved and changes were made to the 
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Figure C.2c - ELEVON ACTUATOR ASSESSMENT 
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FMEA/CIL and IOA worksheets. The overview further shows the 
comparison of failures of the major elements of the elevon 
actuators . 

The IOA effort first completed an analysis of the Elevon Subsystem 
hardware, generating draft failure modes, and PCIs. To preserve 
independence, this analysis was accomplished without reliance upon 
the results contained within the NASA FMEA/CIL documentation. The 
IOA analysis of the elevon actuator hardware initially generated 25 
failure modes worksheets and identified 17 PCIs before starting the 
assessment process. No additional failure mode worksheets were 
generated during the comparison. The analysis results were 
compared to the proposed NASA Post 51-L baseline of 23 FMEAs and 13 
CIL items. A resolution of each discrepancy from the comparison 
was provided through additional analysis as required. Upon 
completion of the assessment, all of the IOA and NASA failure modes 
were in agreement. 


C.2.4 Main Engine (ATVC) Actuator 

The overview in Fig. C.2d is a summary of the main engine 
actuator assessment and presents a comparison of the Pre 51-L 
baseline and the proposed Post 51-L baseline, with the IOA 
recommended failures, and any issues. The main reason for 
differences was that NASA combined failures, whereas IOA prepared 
separate failures, whereas IOA prepared separate failure 
worksheets. Minor differences such as fail or pass of screens 
were readily resolved. As the result of discussions with the 
subsystem manager and review of the up-dated FMEA/CIL all initial 
issues were resolved and changes were made to the FMEA/CIL and 
IOA worksheets. The overview further shows the comparison of 
failures of the major elements of the elevon actuators. 

The IOA effort first completed an analysis of the Ascent Thrust 
Vector Control Actuator (ATVC) hardware, generating draft failure 
modes, and PCIs. To preserve independence, this analysis was 
accomplished without reliance upon the results contained within 
the NASA FMEA/CIL documentation. 

The IOA analysis of the ATVC actuator hardware initially generated 
25 failure modes worksheets and identified 16 PCIs before starting 
the assessment process. The results were compared to the proposed 
NASA Post 51-L baseline (5 May 1987) of 21 FMEAs and 15 CIL items 
and the updated (7 December 1987) version of 21 FMEAs and 13 CIL 
items. A resolution of each discrepancy from the comparison was 
provided through additional analysis as required. Upon completion 
of the assessment, all of the IOA and NASA failure modes were in 
agreement . 
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C. 3 Displays and Control Subsystem 


The IOA product for D&C analysis consisted of 134 failure mode 
worksheets that resulted in 8 PCIs being identified. In order 
to facilitate comparison, 37 additional failure mode worksheets 
were generated. Comparison was made to the NASA baseline of 4 
January 1988, which consisted of 264 FMEAs and 21 CIL items. 

The comparison determined if there were any results which had 
been found by the IOA but were not in the NASA baseline. This 
comparison produced agreement on all but 45 FMEAs, which caused 
no differences in the CIL items. Reference Figure C.3. 

The issues arose due to different interpretation of NSTS 22206 . 
FMEA and CIL preparation instruction. IOA analyzed the electrical 
circuit as a black box, and NASA analyzed the components of the 
black boxes. Of the 45 differences with the FMEAs, all were minor 
and did not affect criticalities assessment. In conclusion, IOA 
is in full agreement with the revised NASA CIL baseline. 


C. 4 Guidance. Navigation and Control System 

The IOA product for the GNC analysis consisted of 141 failure 
mode worksheets that resulted in 24 PCIs being identified. In 
order to facilitate comparison, 34 additional failure mode work- 
sheets were generated. Comparison was made to the NASA baseline 
(as of 4 January 1988) which consisted of 148 FMEAs and 36 CIL 
items. The comparison determined if there were any results which 
had been found by the IOA but were not in the NASA baseline. This 
comparison produced agreement on all but 56 FMEAs, which caused 
differences in zero (0) CIL items. Reference Figure C.4a & b. 

The issues arose due to different interpretation of NSTS 22206 . 
FMEA and CIL preparation instructions. IOA analyzed the compo- 
nents of the electrical circuits, generating 56 worksheets more 
than NASA, who treated the electrical circuits as black boxes. 

Of these 56 differences with the FMEAs, all were minor and did 
not affect criticalities assessments. Three (3) of the FMEAs' 
issues were with the SRB RGA's EPD&C. No drawings were available 
to assess these FMEAs. In conclusion, IOA is in full agreement 
with the revised NASA CIL baseline. 


C. 5 Orbiter Experiments 

The IOA analysis of the OEX hardware initially generated 82 
failure mode worksheets and identified 2 PCIs before starting 
the assessment process (Fig. C.5). These analysis results were 
compared to the proposed NASA Post 51-L baseline of 191 FMEAs 
and 1 CIL item, which was generated using the older FMEA/CIL 
instructions. Upon completion of the assessment, 167 of the 191 
FMEAs were in agreement. Of the 24 that remained, 21 were IOA 
3/3 FMEAs on components not addressed by NASA. Of the remaining 
3, 2 issues were with FMEAs criticality level. The remaining 
issue concerns a FMEA on a component which no longer exists, thus 
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no FMEA is needed. 


C. 6 Auxiliary Power Unit 

Comparison of the IOA APU analysis product with the NASA APU 
FMEA/CIL baseline which emerged from the NASA FMEA/ Cl L review 
process, produced numerous discrepancies. Discussions of these 
discrepancies with the NASA Subsystem Manager resulted in the 
identification of 28 issues, which were taken to the NASA/ 
Rockwell FMEA review working group meetings for consideration. 
These reviews resulted in the addition of 4 new hardware FMEAs 
to the APU FMEA baseline, 3 of which are CIL items. 

Two (2) IOA issues remain for the APU subsystem at the completion 
of the assessment (Fig. C.6). The first issue is a carryover 
from the original 28 issues, and involves a fuel line temperature 
sensor, which is not covered by the existing FMEA baseline. The 
APU Sub- system Manager agreed that this sensor, the fuel pump 
bypass line temperature sensor (MDAC ID 417X) should be covered 
since loss of it could lead to curtailment of orbit activities 
(if one other sensor is lost) , but stated that consideration of 
APU instrumentation FMEAs had been deferred indefinitely to allow 
completion of the review of higher-criticality FMEAs. IOA 
recommends adding a FMEA to cover failure of this sensor at 
criticality 3/2R. IOA recommends a criticality of 3/1R for FMEA 
04-2-518A-2 (lube oil heater thermostat failed closed) , to 
match the effect of possible loss of an APU due to lube oil over- 
heating cited in APU electrical FMEAs 05-6N-2048-2 , 05-6N-2050-2 , 
and 05-6N-2051-2 . This discrepancy between hardware FMEAs and 
electrical FMEAs did not emerge during the initial assessment of 
the hardware FMEAs. 


C. 7 Backup Flight System 

The IOA product for the BFS analysis consisted of 29 failure mode 
worksheets that resulted in 21 PCIs being identified. This product 
was originally compared with the proposed NASA BFS baseline as of 
October 1986, and subsequently compared with the applicable (as of 
19 November 1987) Data Processing System (DPS) , Electrical Power 
Distribution and Control (EPD&C) , and Displays and Controls NASA 
CIL items. The comparisons determined if there were any results 
which had been found by the IOA but were not in the NASA baseline. 

The original assessment determined there were numerous failure 
modes and PCIs in the IOA analysis that were not contained in the 
NASA BFS baseline. Conversely, the NASA baseline contained 3 
FMEAs (IMU, ADTA, and Air Data Probe) for CIL items that were not 
identified in the IOA product. The IOA prepared worksheets and 
agreed with the NASA analysis for the 3 items. This increased 
the IOA worksheets from 29 to 32 and the PCIs from 21 to 24 for 
the original assessment as shown in Figure C.7. 

NASA and Rockwell conducted several reviews and completed 
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a substantial rewrite of all CILs between December 1986 and 
November 1987. This effort included eliminating BFS as a 
unique subsystem by integrating BFS CILs with primary DPS CILs. 
The revised NASA baseline contained 4 more FMEAs for CIL items 
that were not identified in the original IOA BFS product, 
deleted the IMU CIL related FMEA mentioned in the previous 
paragraph, and moved the ADTA and Air Data Probe CILs also 
mentioned in the previous paragraph, to the GN&C subsystem. 

Once again, the IOA prepared worksheets and agreed with the NASA 
analysis of the additional failures. This increased the IOA 
worksheets from 32 to 33 and the PCIs from 24 to 25 for the final 
assessment. The IOA assessment of the final updated baseline (19 
November 1987) results in agreement on all BFS CIL items, even 
though there are differences in number of items and assigned 
criticalities. Figure C.7 presents an overview of the assessment 
results. 

The differences in assigned criticalities are due to different 
interpretation and application of the FMEA/ CIL preparation 
instructions contained in NSTS 22206 . The IOA analyzed BFS hard- 
ware failures with the assumption the BFS had been or would be 
engaged. NASA analyzed BFS hardware failures as an integral part 
of the DPS or EPD&C and, therefore, counted generic PASS failures 
when assigning criticalities to BFS hardware failure modes. The 
IOA interpretation neither added to, nor subtracted from the CIL. 


C. 8 Electrical Power Distribution and Control 

The IOA product for the EPD&C analysis consisted of 1,671 failure 
mode analysis worksheets that resulted in 468 PCIs being identi- 
fied. Comparison was made to the proposed NASA Post 51-L baseline 
(as of 31 December 1987) , which consisted of 435 FMEAs and 158 CIL 
items. Differences between the number of IOA worksheets and NASA 
FMEAs resulted from different levels of analysis e.g., grouping 
components into one FMEA versus a worksheet for each component) , 
failure modes not being identified within the original analysis, 
and the fact that 2 different schematic sets were used (NASA used 
Rockwell International assembly drawings and IOA used the 
Rockwell International integrated schematics). Figure C.8 
presents a comparison of the proposed Post 51-L NASA baseline, 
with the IOA recommended baseline. 

The issues arose due to differences between the NASA and IOA 
interpretation of the FMEA/CIL preparation instructions, 
definitions of screen detectability, and some ignorance of flight 
procedures on the part of IOA. After comparison, there were no 
discrepancies found that were not already identified by NASA, and 
the remaining issues are the result of the differences in the 
schematics used by NASA and IOA. 


C. 9 Landing/Deceleration Subsystem 

The IOA analysis of the Landing/Deceleration hardware initially 
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generated 246 failure mode worksheets and identified 124 
Potential Critical Items (PCIs) before starting the assessment 
process (Fig. C.9). In the analysis report, the Landing/Deceleration 
Subsystem was divided into six separate functional areas 
according to hardware and function. Difficulty was encountered 
in the hardware analysis due to the large amounts of proprietary 
hardware, the tires and wheels, and many of the mechanisms of the 
landing gear and the hydraulics systems. The initial NASA 
Document, STS 82-0013, consisted of five separate functional 
areas which included one hundred eighteen (118) FMEA/CIL's. 

After the initial definition of the subsystem the thirty two (32) 

NWS FMEAs were removed and separate group was initiated to 
prepare the analysis for that subsystem. A decision was made to 
include the EPD&C data for the subsystem and one hundred twenty 
two (122) Electrical FMEAS were added to the subsystem, later 
eight additional FMEAS were added to the EPD&C portion of the 
subsystem. In November 1986 Forty four (44) Hydraulics FMEA's 
were added to the subsystem. After the initial IOA Analysis was 
completed in January 1987, a decision was made to remove the 
pyrotechnic devices from the subsystem, which removed six FMEA's 
from the NLG and MLG subsystems. At the time of this 
report there are six subsystems that have been evaluated 
including 267 NASA FMEA's and 120 CIL items, there 75 issues 
between the NASA documentation and the IOA data. 

The IOA analysis did not include fourteen of the NASA FMEAs due 
to the lack of data to support the evaluation, and many of the 
FMEAs were evaluated using documentation such as training manuals 
and component procurement specification documents. The general 
lack of documentation and the proprietary nature of the data were 
major problems for the analysis. 

The majority of the hardware issues were prepared on portions of 
the subsystem where the NASA FMEAs would cover a whole assembly 
with a limited number of FMEAs and the IOA analysis concluded 
that a single NASA FMEA was covering several 1/1 failures that 
were within the single FMEA. Several major components appeared 
to be overlooked or considered to be a part of an assembly by the 
NASA assessment. The IOA assessment also uncovered several 
functional FMEAs that were discussed with the NASA subsystem 
manager. Only the initial FMEA data on the hardware subsystems 
was analyzed and the assessment reflects only the analysis of 
that data. 

The majority of the electrical (EPD&C) issues were prepared due 
to operational discrepancies or evaluation differences on the 
criticality of the function or hardware capability. This portion 
of the document was completely analyzed and the assessment 
includes the final resolution of the EPD&C data. 


C. 10 Purge. Vent and Drain System 

The IOA product for the PV&D independent analysis consisted of 62 
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failure mode worksheets that resulted in 16 PCIs being 
identified. A comparison was made of the IOA product to the NASA 
FMEA/CIL dated 20 November 1987, which consisted of 42 FMEAs and 
8 OIL items. The difference in the number of IOA analysis 
worksheets and NASA FMEAs can be explained by the different 
levels of analysis detail performed to identify failure modes. 

The comparison determined if there were any results found by the 
IOA that were not included in the NASA FMEA/CIL. 

The assessment produced agreement on all but 5 failure modes. 

Three (3) failure modes for components were not identified by the 
NASA FMEAs, 1 being a CIL item. Two (2) failure modes were 
identified by IOA and NASA which have differences in criticality 
resulting in 2 new CIL items. Figure C.10 presents a comparison of 
the proposed Post 51-L NASA FMEA/CIL baseline with the IOA 
recommended baseline and any issues. Detailed discussion of IOA 
issues and recommendations are provided in subsequent paragraphs. 

The assessment between the IOA Purge System worksheets and NASA 
Post 51-L FMEA/CIL baseline produced 1 issue. IOA recommends the 
addition of a FMEA to the NASA baseline for the failure mode, 
check valve leakage, as identified in IOA worksheet 9009. The 
criticality for this failure mode is 3/3. 

The assessment between the IOA WCCS worksheets and NASA Post 
51-L FMEA/CIL produced 3 issues. IOA recommends the addition of 
a FMEA to the NASA baseline for the failure mode WCCS outer 
cavity tubing clogging, as identified in IOA worksheet 9036. The 
criticality for this failure mode is 1/1 and, therefore, requires 
NASA to generate a CIL. After further review/analysis, IOA agreed 
to a 1/1 criticality for NASA Baseline FMEA/CIL 01-5-332404-5, 

WCCS desiccant filter outer cavity leakage. However, NASA Base- 
line FMEA/CIL 01-5-332404-6 describes the same component, same 
failure, and same results, but with different windows with the 
same design as a criticality 3/3. IOA recommends combining the 2 
NASA FMEAs with a criticality of 1/1. IOA disagrees with NASA 
Baseline FMEA 01-5-332406-5 designated criticality 3/3. IOA work- 
sheet 9037 for the same failure mode, WCCS outer cavity tubing 
leakage, identifies the criticality as 1/1. NASA Baseline FMEA 
01-5-332403-1 identifies the same failure mode for the tubing, 
but for a different set of windows as a criticality 1/1. After 
further analysis, IOA determined that the windows are all of 
the same design. Therefore, the criticality of 1/1 should be 
consistent. IOA recommends the combination of NASA FMEA/CILs 
01 - 5-332403-l and 01-5-332406-5 with an identified criticality 
of 1/1 as presented on NASA Baseline FMEA/CIL 01-5-3320403-1 
and IOA worksheet 9037. 

The assessment between the ET/ORB Purge Disconnect Network IOA 
worksheets and NASA Post 51-L FMEA/CIL baseline produced 1 issue. 
IOA recommends the addition of a FMEA to the NASA baseline for 
the failure mode, ET/ORB Purge Disconnect external leakage, as 
identified in IOA worksheet 9060. The criticality for this fail- 
ure mode is 3/3. IOA recognizes this as a credible failure mode. 
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C. 11 Pyrotechnics 


The IOA analysis of the Pyrotechnics hardware initially generated 
41 failure mode worksheets and identified 41 PCIs before starting 
the assessment process (Fig. C.ll). No additional failure mode 
analysis worksheets were generated to facilitate comparison. 

These analysis results were compared to the proposed NASA Post 
51-L baseline of 37 FMEAs and 37 CIL items, which were generated 
using the NSTS-22206 FMEA/CIL instructions. Upon completion of 
the assessment, 27 of the 37 FMEAs were in agreement. Of the 13 
that remained, 7 had minor discrepancies that did not affect 
criticality. Of the remaining 6, 3 were the result of data entry 
errors and involve the numerical criticality assignment. IOA 
recommends upgrading the criticalities of 2 IOA FMEAs from 2/1R 
to 1/1 and downgrading the criticality of 1 IOA FMEA from 1/1 to 
2/1R. There are 4 IOA FMEAs for 2 components not analyzed by 
NASA FMEAs. In summary, IOA recommends that the credible failure 
modes of "Fail to Function" and "Inadvertent Operation" be 
included for the respective pressure cartridges in the RMS 
Guillotine Assembly and the Rendezvous Radar Release Mechanism. 


C. 12 Thermal Control System 


C.12.1 Active Thermal Control System 

The ATCS Assessment Overview figure C.12a lists the total number of 
IOA and NASA FMEA and CIL items along with a comparison of the 
discrepancies or issues identified during the assessment. For 
analysis purposes, the ATCS was divided into 4 subsystems: 
the Freon Coolant Loop (FCL) , the Radiator Flow Control Assembly 
(RFCA) , the Flash Evaporator System (FES) and the Ammonia Boiler 
System (ABS) . 

The IOA analysis of the ATCS hardware initially generated 310 
failure mode worksheets and identified 101 PCIs before starting 
the assessment process. In order to facilitate comparison, 74 
additional failure mode worksheets were generated. Additionally, 
upon closer examination, IOA deemed 10 of the original failure 
modes to be non-credible and recommends deleting them. Thus, the 
final IOA analysis identified 374 FMEAs and 147 potential CILs. 

The analysis results were compared to the available NASA FMEA/CIL 
data. A total of 252 NASA FMEAs and 109 NASA CILs were identified. 
The discrepancy between the number of IOA and NASA FMEAs can be 
explained by the different approaches used by NASA and IOA to 
group failure modes. This resulted in multiple IOA FMEAs being 
mapped to a single NASA FMEA. However, every NASA FMEA is mapped 
to at least 1 IOA worksheet. A total of 101 FMEA and 30 CIL 
issues were identified on the ATCS. A number of these issues 
involved failures which were identified by IOA but not by NASA. 
These included external leakage of heat exchanger fluid and exter- 
nal leakage of water/steam from the FES ducts. These failures 
plus the remaining issues should be examined by NASA and included 
in the FMEA package as required. 
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C.12.2 Life Support and Airlock Support System 

The IOA product for the Lifesupport System (LSS) and Airlock 
Support System (ALSSL) analysis consisted of 511 failure mode 
worksheets that resulted in 140 PCIs. Comparison was made to 
the NASA baseline dated 1 October 1987 which consisted of 456 
FMEAs and 101 CIL items. After the assessment process, the 
number of IOA analysis worksheets rose to 694, with 171 total 
CIL items. The difference in the number of IOA analysis work- 
sheets and the NASA FMEAs can be explained by the different 
levels of analysis detail performed to identify failure modes. 
Figure C.12b presents a comparison of the proposed Post 51-L NASA 
data, with the IOA recommended baseline, and any issues. 

In the Supply Water Subsystem (SWS) , one major discrepancy noted 
between the NASA FMEA approach and the IOA analysis was the use of 
multiple failure scenarios in assigning the functional criticali- 
ties. The IOA approach determined what the redundancies were for 
the hardware item under study, and then assign the functional 
criticality consistent with NSTS-22206 . The NASA approach seemed 
to define the redundancy to the effect after the item had failed. 
Thus, IOA believes that the functional criticalities become so 
broad that visibility into a particular hardware item will be lost 
For example, the NASA assessment of water system leaks relates to 
loss of the Flash Evaporator System but is further related to loss 
of this Total Active Thermal Control System (Radiators and Ammonia 
Boilers) and classified a 1R criticality. The IOA analysis con- 
sidered the Flash Evaporator System may be deprived of water which 
was considered a mission loss condition or a 2R criticality. 

The radiators and the ABS are considered unassociated failures. 
Another discrepancy was over the determination of functional 
criticality for total loss of all redundancies in conjunction with 
the failure mode under study. For example, on the fuel cell outlet 
lines, the NASA FMEA treated the functional loss to receive fuel 
cell water due to external leakage the same as the case for 
restricted line flow. IOA agreed that restricted flow results in 
"dead-heading' 1 of the fuel cells, thus potentially a loss of life 
or vehicle condition. However, external leakage was considered 
only a mission impact for the functional loss. 

The Waste Management Subsystem assessment centered on the 
following 2 issues. First, a potential loss of the WCS was 
viewed as a 3/2R criticality by IOA for any "off nominal" 
condition. The condition of "off nominal" was defined as any 
failure which could potentially require use of contingency waste 
collection methods if another failure occurred. However, the NASA 
FMEA listed these as non-mission essential failure criticalities. 
Second, the IOA analysis viewed a Vacuum Vent Dump Line blockage 
or loss of the heaters as a potential loss of life/vehicle 
condition. A potentially hazardous atmosphere of hydrogen and 
oxygen could occur in the vacuum vent line if it were blocked by 
debris or ice. 

In the Smoke Detection and Fire Suppression (SD/FS) subsystems, 


C-27 



LSS/ALSS ASSESSMENT SUMMARY 



C-28 


NASA ISSUES 








the major outcome of the analysis and assessment points up the 
criticality of the Avionics Bay Fire Suppressant containers. 

The concern of these single string circuits is during the ascent 
and entry phrases when the crew has no opportunity to use the 
portable extinguishers in the event the primary bottles fail to 
discharge. Another consideration is the common power source for 
the smoke detectors and the reset signal. Isolation of the 2 
should increase the possibilities of bypassing a reset circuit 
problem. The actual issues defined were related to screen 
differences and suggest deleting 10 items as CILs while adding 2 
items, and modifying 10 criticalities without affecting the CIL 
count . 

The following is a discussion of the Airlock Support System 
(ALSS) assessment. The principle reason for assessment discre- 
pancies between the NASA FMEA and the IOA analysis centered on 
the consideration that the Airlock is not, and should not be, a 
system classified as emergency hardware. It may be true that the 
crew can use it for emergency EVAs, but this is part of the pro- 
cedure that has been devised to solve an emergency in another 
system. To compound that failure, that is, failing the airlock 
along with the emergency failure, to increase the criticalities 
is like assigning criticalities to procedures devised to solvethe 
original emergency. With the same logic, the EMU suits will have 
to be declared an emergency system which is also unacceptable 
because this was not the original intent for either system. 
Airlock or EMU. 


C. 13 Crew Equipment 

The IOA analysis of the Crew Equipment hardware initially generated 
352 failure mode worksheets and identified 78 PCIs before starting 
the assessment process. In order to facilitate comparison, 78 
additional failure mode analysis worksheets were generated. These 
analysis results were compared to the proposed NASA Post 51-L base- 
line of 351 FMEAs and 82 CIL items. The FMEAs that remained had 
minor discrepancies that did not affect criticality. 

An overview of the quantity of NASA FMEAs assessed, versus the 
recommended IOA baseline, and any issues identified is presented 
in Figure C.13. 

The more significant assessment results for each area within 
the Crew Equipment Subsystem are addressed in the following 
discussions : 


C.13.1 EVA Equipment Assessment Results 

The IOA analysis identified 5 failure modes of the EVA scissors. 
NASA determined the EVA scissors were non-critical items, so 
there were no FMEA/ CILs available for comparison. The assessment 
of the EMU light assembly generated 8 new failure modes. One (1) 
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of these failure inodes (MDAC ID 11216) shows the battery cell as 
a criticality 1/1 because of the possibility of toxic venting or 
explosion. Three (3) new FMEAs were generated for the OBS. The 
IOA analysis of the OBS identified 5 failure inodes which were not 
considered by NASA. The failure inodes were not critical, but were 
included for completeness. The assessment of the PFR generated 1 
new FMEA, which was not critical. 


C.13.2 EVA Tethers Assessment Results 

The IOA disagrees with NASA's analysis of a hook failing to close 
as criticality 1/1. The failure mode implies to an unrestrained 
crewmember. The IOA differs with NASA on this issue for both the 
ERCM safety tether and the waist tether. For all other failure 
modes, MDAC eigher agrees with, or accepts NASA's analysis. 


C.13.3 EVA Tools Assessment Results 

The NASA analysis does not include a failure mode corresponding to 
a failure of the 3-point latch hook. This failure mode should be 
added to NASA's FMEA/CIL database. The IOA believes that NASA's 
analysis of the snatch block hook latch as a criticality 2/1R is 
too high and should be lowered. If the hook latch fails to close, 
then the tool is not in use at that time. For the other EVA tools, 
the IOA either agrees with or accepts NASA's results. 


C.13.4 IVA Tools Assessment Results 

The FMEA/CIL assessment recommends deleting 3 FMEAs as being non- 
credible failures (MDAC IDs 4200, 4307, and 4310) . With these 
deletions, IOA agrees completely with NASA on the IVA tools that 
were analyzed. All of the tools were found to be non-critical 
primarily because of redundant hardware. 


C.13.5 Food Assemblies Assessment Results 

The IOA found that none of the hardware which had been analyzed 
were critical hardware. IOA identified 35 FMEAs which were not 
analyzed by NASA, and generated 44 new FMEAs to correspond to 
failure modes NASA identified which had not been analyzed by IOA. 
The slight differences in criticality ratings of FMEAs between IOA 
and NASA are primarily due to differences in groundrules. During 
the assessment process, it was determined that 5 IOA failure modes 
were non-credible and IOA recommends that these be deleted. 


C.13.6 Orbiter Hardware Assessment Results 

The IOA found that none of the Orbiter hardware, which had been 
analyzed, were critical hardware. The assessment did generate 
2 new FMEAs for the treadmill and 6 new FMEAs for the COAS. The 
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assessment recommends accepting NASA's FMEAs and criticalities 
for the mid-deck stowage lockers. 


C. 14 Instrumentation 

The IOA analysis of the Instrumentation hardware initially 
generated 88 failure mode worksheets and identified 8 PCIs before 
starting the assessment process (Fig. C.14). These analysis 
results were compared to a NASA baseline which was frozen as of l 
January 1988, with 14 Post 51-L FMEAs included in a total of 96 
FMEAs and 18 CIL items, which were generated using the referenced 
FMEA/CIL instructions. Upon completion of the assessment, 82 
of the 107 FMEAs were in agreement. Of the 25 that remained, 4 
are 2/2 criticality and not currently on the NASA CIL list and 7 
new FMEAs were generated which had no NASA match. The remaining 
14 FMEAs are of a different criticality than the NASA 
interpretation. None of these 14 FMEAs affect the CIL listing. 


C. 15 Data Processing System 

The IOA analysis of the DPS hardware initially generated 85 fail- 
ure mode worksheets and identified 2 PCIs before starting the 
assessment process. In order to facilitate comparison, 37 addi- 
tional failure mode analysis worksheets were generated (See Fig. 
C.15). These analysis results were compared to the proposed NASA 
Post 51-L baseline of 78 FMEAs and 25 CIL items, which was 
generated using the Rockwell 100-2G FMEA/CIL instructions. Upon 
completion of the assessment, 60 of the 78 FMEAs were in 
agreement. Of the 18 that remained, 14 had minor discrepancies 
that did not affect criticality. Of the remaining 4, 2 issues 
were with FMEAs (05-5-B03-1-1 and 05-5-B03-2-1) that had 
considered failure modes outside the DPS subsystem, and caused 
inflated criticalities. These criticalities mistakenly placed 
both FMEAs on the CIL. The other 2 issues were with FMEAs (05-5- 
B01-1-1 and 05-5-B02-1-1) that also considered failure modes 
outside the DPS subsystem. However, when the correct failure 
mode is included, the current criticalities will remain 
unchanged. In summary, all issues may be attributed to 
differences between ground rules in Rockwell 100-2G and NSTS 
22206 instructions. The IOA recommends correcting the failure 
modes considered in the 4 FMEAs, which lowers criticality 
assignments in 2 of the FMEAs, and removes them from the CIL. 


C. 16 Atmosphere Revitalization Pressure Control System 

The IOA analysis of the ARPCS hardware initially generated 266 
failure mode worksheets and identified 89 PCIs before starting 
the assessment process. In order to facilitate comparison, 22 
additional failure mode analysis worksheets were generated. 

C-32 


i 



INSTRUMENTATION FMEA/CIL ASSESSMENT OVERVIEW 



« * 

Figure C.14 - INSTRUMENTATION ASSESSMENT 


C-33 


NASA BASELINE PRE 51 -L 

FINAL NASA BASELINE AS OF 1 JANUARY 88 




DPS FMEA/CIL ASSESSMENT OVERVIEW 


CO 



Figure C.15 - DPS FMEA/CIL ASSESSMENT 


I 


C-34 


COUNT CORRECT AS OF 11/19 









These analysis results were compared to the proposed NASA Post 
51-L baseline of 262 FMEAs and 87 CIL items. Upon completion of 
the assessment, of the 273 total IOA failure modes, 124 remained 
as issues to be resolved. A summary of the FMEA/CIL counts for 
IOA and NASA is provided in Figure C.16, and some of the 
significant issues follow. 

The FMEA considered the LEH panels as emergency systems; and, as 
such, it was seen as potential for loss of life/ vehicle for any 
failure which resulted in loss of LEH usage. IOA accepted this 
assumption with some reservations. First, the LEH panels do not 
fit into the strict definition of the emergency systems stated in 
the NSTS-22206 . Paragraph 2.1.e. This definition excludes 
hardware (such as LEH panels) which performs a function used 
during any nominal mission phase or during intact abort. 

Second, there is no limitation as to how broad this definition 
will be used throughout the ARPCS. That is, any failure of an 
item upstream of the LEH panels which negates the use of the LEHs 
is compounded by the assumption that an emergency condition 
exists. This approach seems to be too conservative, which may 
result in loss of visibility into an item when studied under 
nominal conditions. 

The FMEA studied "craced mounting flange: failure mode for the 
cabin negative relief valve (FMEA 06-1-0203-3) and cabin positive 
relief valve (FMEA 06-1-0201-3) . The causes are listed as 
material defect, mechanical shock, and vibration. IOA did not 
study this failure mode, and considered the failure mode and 
cause relationship not credible. The material defect is ruled 
out based on the IOA general project groundrule (Appendix B.2.4), 
otherwise this failure mode should be included for all hardware 
items. The mechanical shock and vibration are not realistic 
since their magnitude must be very high and far beyond the 
structural integrity of the vehicle in order to cause such a 
failure. Also, this condition presumes a failure already in 
progress (vehicle undergoing severe and dangerous condition) 
contrary to the NSTS-22206 hardware criticality groundrules. 

FMEA studied "inability to restrict" as failure of the flow 
restrictor. IOA considered this failure mode and cause 
relationship not credible and it was, therefore, not studied. 
There was no detailed FMEA information to further investigate 
this failure mode. 

FMEA studied "restricted flow" for lines and fittings. IOA 
studied this failure mode for appropriate hardware items on the 
line. This was done primarily because the causes of flow 
restriction (contamination, corrosion) most likely will 
restrict flow at the hardware items (valves, screens,. . . etc.) 
before the line. Second, the restricted flow of an item 
at a particular location on the line may yield different effects 
and criticalities, and hence is easier to investigate. 

IOA studied electrical solenoids and motors separately from their 
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associated valves, and did not find any reference to them in the 
FMEA data. However, a match of these items was made based on the 
FMEA results for the valve. The electrical solenoids and motors 
may be either covered separately or the failure modes and causes 
assed for the valves should address them. 


C. 17 Hvdraulic/Water Spray Boiler 

The IOA product for the HYD/WSB analysis consisted of 447 failure 
mode worksheets that resulted in 183 PCIs being identified. 
Comparison was made to the NASA baseline (as of 19 November 1986) 
which consisted of 364 FMEAs and 111 CIL items. The comparison 
determined if there were any results which had been found by the 
IOA but were not in the NASA baseline. This comparison produced 
agreement on all but 68 FMEAs which caused differences in 23 CIL 
items. Figure C.17 presents a comparison of the proposed Post 51-L 
NASA baseline, with the IOA recommended baseline, and any issues. 

The issues arose due to differences between the NASA and IOA FMEA/ 
CIL preparation instructions. NASA had used an older groundrules 
document which has since been superseded by the NSTS 22206 used by 
the IOA. After comparison, there were no discrepancies found that 
were not already identified by NASA, and the remaining issues may 
be attributed to differences in groundrules. 


C. 18 Mechanical Actuation Subsystem 

An overview of the quantity of NASA FMEAs assessed, versus the 
recommended IOA baseline and any identified issues, is presented 
in Figure C.18. In the analysis and assessment report, the MAS was 
divided into nine sections according to hardware and function. 

Each of these sections are identified, with summary assessment 
results, in Figure C.18. 

The IOA analysis of the MAS hardware initially generated 685 
failure mode worksheets and identified 476 Potential Critical 
Items (PCIs) before starting the assessment process. In order to 
facilitate comparison, 28 additional failure mode analysis 
worksheets were generated. These analysis results were compared 
to the proposed NASA Post 51-L baseline (5 February, 1988) of 510 
FMEAs and 252 CIL items using available NASA FMEA/CIL data. The 
discrepancy between the number of IOA and NASA FMEAs can be 
explained by the different approach used by NASA and IOA to group 
failure modes. In many cases, multiple IOA FMEAs were mapped to 
a single NASA FMEA. The MAS assessment identified a total of 472 
issues. Many of these issues resulted from failures identified 
by IOA which could not be matched to available NASA FMEAs. It is 
believed that other issues resulted from IOA use and 
interpretation of NSTS-22206 differing slightly from criteria 
used by RI and NASA, and a difference in criticality assignments 
for a particular hardware item or function. 
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C. 19 Manned Maneuvering Unit 


The IOA analysis of the MMU hardware initially generated 136 fail- 
ure mode worksheets and identified 69 PCIs before starting the 
assessment process. In order to facilitate comparison, 57 
additional failure mode analysis worksheets were generated. These 
analysis results were compared to the proposed Martin Marietta Post 
51-L baseline of 179 FMEAs and 110 CIL items. Upon completion of 
the assessment, 121 of the 204 IOA failure modes remained as issues 
to be resolved. A summary of the FMEA/CIL counts for IOA and NASA 
is provided in Figure C.19, and some of the significant issues 
follow. 

The Martin Marietta analysis format lacked a comprehensive 
definition of the flight phases, screens, and the item(s) under 
study. All the flight phases were not always analyzed for prep, 
ops, and post ops for each failure mode. The screens A and B 
were not specifically designated per NSTS 22206 . IOA had to 
interpret their status based on very limited information 
provided. Screen C was not addressed; and it was, therefore, 
left blank throughout the assessment. 

The Martin Marietta analysis did not address a specif ichard- 
ware item in some cases, but used an assembly instead. This made 
it very difficult to investigate failure modes and effects of a 
particular item and its impact on the overall system. 

The MMU PREP and POST-OPS definitions were not too clear, and it 
was consequently difficult to match their criticalities. IOA 
considered every MMU activity to begin with PRE-OPS activities 
and end with POST-OPS activities prior to the start of the next 
MMU OPS. The Martin Marietta definition seems to suggest that 
the PREP activities start with the first MMU PRE-OPS and stop 
after the last MMU OPS activity. The period after the last 
planned MMU OPS will then be POST-OPS. 

There were a number of issues related to the treatment of the 
multi-position switches. Martin Marietta used a more broad and 
general failure mode approach, such as open or closed. IOA 
considered and investigated the failure of single contact 
positions for open and closed and assigned the worst case 
criticality. Multi-position switches to fail open or closed 
were, in general, considered to be unreasonable. 

Electrical items, such as diodes, resistors, relays, etc. 
associated with an LRU circuit were not studied by Martin 
Marietta. IOA provided analysis for these items to be 
incorporated into the final FMEA/CIL study. 


C. 20 Nose Wheel Steering Subsystem 

The IOA analysis of the NWS hardware initially generated 78 
failure mode worksheets and identified 42 Potential Critical 
Items (PCIs) . As a result of the assessment process, 15 NWS 
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failure mode worksheets were deleted and an additional 5 analysis 
worksheets were generated and added to the assessment package. 

The assessment comparison also gave rise to 14 issues between the 
IOA NWS analysis and the corresponding NASA FMEAs (Fig. C.20). 

Of these issues, 9 are the result of failure modes generated by 
the IOA that did not have corresponding NASA FMEAs. The 
remainder of the issues are the result of differences in the NWS 
subsystem failure mode assigned hardware/ functional 
criticalities . 

The most significant Orbiter assessment issue was uncovered 
during the Nose Wheel Steering (NWS) subsystem analysis. The 
failure mode was a "stuck" autopilot pushbutton causing the worst 
case effect of loss of crew/vehicle (criticality 1/1) . The 
Orbiter autopilot is used for entry, and manually disengaged 
before landing. The autopilot is engaged by "Roll/ Yaw Auto" and 
"Pitch Auto" pushbutton indicators (PBIs) . If either "Auto" PBI 
fails closed, the autopilot cannot be permanently disengaged. 

With the autopilot remaining engaged, the Orbiter will attempt to 
"Autoland", which requires a Microwave Landing System (MLS) on 
the ground. MLS is not required for day landings, and has not 
been "available" for four of the last seven STS missions. 

Without the MLS, use of the autoland alone will cause the Orbiter 
to miss the runway. A single point failure with no redundancy 
and which threatens loss of crew/vehicle is categorized by NSTS 
22206 as a "criticality 1" item. Rockwell is adding the failure 
mode to the FMEA/CIL baseline and developing a software change to 
bypass a failed "Auto" switch. 

Some of the criticality issues cannot be resolved without 
performing additional analysis or testing of the NWS system. 

Other issues can be more easily resolved by establishing official 
flight rules or crew procedures for certain failure modes. In 
either case, IOA has recommended upgrading the existing 
criticalities of the affected NWS components until conclusive 
test/analysis results or written flight rules/crew procedures are 
available to support downgrading the criticalities. 

The IOA assessment of the existing CILs gave rise to 9 issues. 

Of these issues, 8 are the result of IOA identifying additional 
Potential Critical Items. One PCI concerns the generation of 
independent FMEA/CILS for like critical hardware as recommended 
by NSTS 22206 . A second PCI is the result of an IOA recommended 
criticality upgrade. The remainder of the 8 PCIs concern 
hardware or failure modes excluded by the NASA analysis. IOA 
also recommends the deletion of one NASA CIL. 


C. 21 Remote Manipulator System 

The overview (Fig. C.21a) presents the results of the RMS hardware 
assessment and the final results. Each component is identified 
along with the number of FMEAs, CILs, and issues for each. There 
are 69 issues which remain open. These issues occurred in the 
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MCIU, Arm Based Electronics, and the Mechanical Arm. 

The final results of the RMS assessment are that 154 issues were 
identified. Eighty-five (85) of these issues were resolved with 
the NASA Subsystem Manager. Of these 85 issues, 64 were resolved 
without change to the baseline. Twenty-one (21) failures were 
combined, resulting in 3 new FMEAs and 3 new CIL items. The 15 
remaining IOA failure modes were added as additional causes to 
existing FMEAs. The 69 IOA RMS issues that remain open concern 
the difference in criticalities due to software routines being 
classified as unlike redundancy. IOA feels that they should not 
be used to lower the criticalities of the affected FMEAs. 

The IOA analysis of the EPD&C/RMS hardware (Fig. C.21b) initially 
generated three hundred and forty-five (345) failure mode 
worksheets and identified one hundred and seventeen (117) 
Potential Critical Items (PCIs) before starting the assessment 
process. These analysis results were compared to the proposed 
NASA Post 51-L baseline of one hundred and thirty-two (132) FMEAs 
and sixty-six (66) CIL items, which were generated using the 
NSTS-22206 FMEA/CIL instructions. IOA generated failure mode 
analysis worksheets for both port and starboard Remote 
Manipulator Systems whereas the NASA generated FMEAs for only one 
system (did not specify which) . The IOA analysis was performed 
on a component level for components assigned reference designator 
numbers on the drawings with one component per worksheet. The 
NASA analysis was performed with like multiple similar components 
on one FMEA. In some cases the NASA FMEAs were generated for an 
entire circuit without necessarily specifying the components 
included in the circuit by any identification number, thus direct 
comparisons of the IOA and NASA analyses were not meaningful in 
the sense of numbers of failures and identification of 
criticalities that have any uniformity. Efforts to compare the 
two analyses required consolidation of components in all but a 
few cases where the items were single point failure items as some 
of the switches were found to be. Twenty-eight (28) additional 
IOA failure mode analysis worksheets were generated to facilitate 
comparison. Upon completion of the assessment, five (5) issue 
items were identified that involved critical items where IOA 
recommends that NASA FMEAs generated for that failure mode of the 
component or where the NASA Criticality for that failure mode of 
that component be upgraded. There were also six (6) issues 
identified where IOA recommends upgrading of the NASA assigned 
criticality but these are not critical items list candidates. 

C. 22 Atmospheric Revitalization System 

The ARS Assessment Overview figure C.22 lists the total number of 
IOA and NASA FMEA and CIL items, along with a comparison of the 
discrepancies or issues identified during the assessment. For 
analysis purposes, the ARS was divided into 6 subsystems: the 

Pump Package, the Avionics/Water Loop, the Heat Exchanger, the 
Avionics/Air Loop, the IMU/Air Loop and the Cabin/Air Loop. 

The IOA analysis of the ARS hardware initially generated 245 
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Figure C.21b - EPD&C/RMS FMEA/CIL ASSESSMENT 
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failure mode worksheets and identified 84 PCIs prior to starting 
the assessment process. In order to facilitate comparison, 74 
additional failure mode worksheets were generated and 8 of the 
original worksheets were deleted. Thus, the final IOA analysis 
identified 311 FMEAs and 84 potential CILs. The analysis results 
were compared to the available NASA FMEA/CIL data. A total of 
223 NASA FMEAs and 84 NASA CILs were identified. The discrepancy 
between the number of IOA and NASA FMEAs can be explained by the 
different approaches used by NASA and IOA to group failure modes. 
This resulted in multiple IOA FMEAs being mapped to a single NASA 
FMEA. However, every NASA FMEA is mapped to at least 1 IOA work- 
sheet. 

A total of 102 FMEA and 36 CIL issues was identified on the ARS . 

A number of these issues involved failures which were identified 
by IOA but not by NASA. These issues resulted mainly from 
insufficient data obtained from NASA. 


C. 23 Extravehicular Mobility Unit 

The IOA analysis of the EMU hardware initially generated 497 
failure mode worksheets and identified 390 Potential Critical 
Items (PCIs) before starting the assessment process. In order to 
facilitate comparison, additional failure mode analysis 
worksheets were generated. These analysis results were compared 
to the proposed NASA Post 51-L baseline (the most recent 
available as of December 31, 1987) (Fig. C.23). The discrepancy 
between the number of IOA and NASA FMEAs can be explained by the 
different approach used by NASA and IOA to identify failure modes 
or simply by errors of omission 53 failure modes were identified 
by the IOA analysis that were not covered by the NASA FMEAs; 

Forty two were considered issues due to CIL impacts. 

With regard to the issues, the IOA has identified a total of one 
hundred and fifty-three (153). Ninety of these are concentrated 
in the PLSS and the DCM. This was not unexpected due to each 
subsystem's complexity and significant use of redundancy. These 
features resulted in different levels of analysis and in 
different determinations of redundancy by both the IOA and the 
NASA. Another area of PLSS and CM issues resulted from differing 
usage of screen B detectability requirements. The NASA 
established an interpretation that so long as the crewmember 

could obtain safe haven upon detection the screen would be 
passed; however, the IOA disagreed with the use of an emergency 
system (the SOP) to support obtaining safe haven. 

The largest remaining block of issues (40) are distributed 
throughout the HUT, helmet, air assemblies, gloves, and the LTA. 
Although many of these issues are similar in cause to those of 
the PLSS and the DCM (namely different levels of analysis or 
different interpretation of redundancy) , a large group of these 
resulted from a common failure mode - loss of pressure integrity. 
The NASA would "qualify" the failure mode as loss of pressure 

C-48 


I 



EMU OVERVIEW ASSESSMENT SUMMARY 
IEUU ASSESSMENT summary! 



Figure C.23 - EMU ASSESSMENT 
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maintenance capability in excess of SOP make-up capability. The 
IOA's concern was that it automatically assumed loss of the SOP 
in assigning a 1/1 criticality; the IOA would prefer a 2/1R with 
a failure of screen B and screen C to reflect the failure 
scenario. 

The IOA also notes that the SOP has been determined to be an 
emergency subsystem to the EMU. The IOA recommended the SOP to 
be just that in the IOA analysis report issued in 1986. 


C. 24 Power Reactant Storage and Distribution System 

The IOA analysis of the EPG/PRSD hardware initially generated 
162 failure mode worksheets and identified 82 PCIs before 
starting the assessment process. In order to facilitate compari- 
son, 4 additional failure mode analysis worksheets were generated. 
These analysis results (Fig. C.24a) were first compared to the 
proposed NASA Post 51-L baseline of 92 FMEAs and 58 CIL items, 
and then to the updated version of 66 FMEAs and 39 CIL items, 
and finally to the 3 baseline configuration of 64 FMEAs and 39 
CIL items for the 2 tank baseline, and 67 FMEAs and 42 CIL items 
for the 3 and 4 tank baselines. The discrepancy between the 
number of IOA and NASA FMEAs can be explained as follows. 

Eight (8) issues arose from inner tank component FMEAs that had 
not been covered by NASA, but which may have been covered by 
the tank manufacturer. Beech Aircraft. 

Two (2) issues were due to FMEAs the NASA Subsystem Manager 
thought should be covered under the ground operations FMEAs. 

Thirteen (13) issues were caused by the differences between the 
Rockwell International reliability desk instructions No. 100-2G 
and the NSTS 22206 . 

Four (4) issues can be explained by the different approachs used 
by NASA and IOA to group failure modes. 

Upon completion of the assessment, and after discussions with 
the NASA Subsystem Manager, 19 of the 77 recommended FMEAs were in 
agreement. Of the 58 that remained, 27 had minor discrepancies 
that did not affect criticality. 

The IOA analysis of the EPD&C/EPG hardware initially generated 
263 failure mode worksheets and identified 60 Potential Critical 
Items (PCIs) before starting the assessment process. In order to 
facilitate comparison, 42 additional failure mode analysis 
worksheets were generated. These analysis results were compared 
to the proposed NASA Post 51-L baseline of 211 FMEAs and 47 CIL 
items, which was generated using the NSTS 22206 FMEA/CIL 
instructions (Fig. C.24b). Upon completion of the assessment, 
all of the 211 FMEAs were in agreement. The difference in the 
the total number of FMEAs between IOA and NASA is due to the 
analysis level used to assign the failure modes. 
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C. 25 Main Propulsion System 


The IOA MPS analysis generated 690 FMEA worksheets, 371 of 
which were PCIs. Of the total, 438 FMEAs were generated for 
mechanical components and 252 for electrical components (Fig. 

C. 25) . 

General differences of opinion and interpretation between the 
IOA MPS Group and the RI/NASA MPS team resulted in different 
criticality assignments. The RI/NASA team, for example, tended 
to have a broader view of an item's function than did IOA. 

A related difficulty was the matter of redundancy. Again, the 
RI/ NASA team adopted a broader view of redundancy than did IOA. 
RI/NASA viewed sequential main engine failures as loss of 
redundancy. IOA believes engines are not redundant to each 
other because, while they perform identical functions, they do 
not perform the same function. 

Another area of differing opinions was the RI/NASA practice of 
introducing criticality 1/1 failures, such as line breaks or 
leaks, as a second failure, thereby creating a 2/1R criticality 
regardless of the first failure. IOA concludes that, in most 
cases, this is not consistent with the NSTS 22206 methodology or 
definitions. 


C. 26 Orbital Maneuvering System 

The IOA product for the EPD&C analysis consisted of 284 hard- 
ware and 667 EPD&C failure mode worksheets that resulted in 
160 hardware and 216 EPD&C PCIs being identified. A comparison 
was made of the IOA product to the NASA FMEA/CIL baseline as of 
23 December 1987, which consisted of 101 hardware and 142 EPD&C 
FMEAs, and 68 hardware and 49 EPD&C CIL items. In order to 
facilitate comparison, additional IOA analysis worksheets were 
generated as required. IOA mapped 138 hardware and 147 EPD&C 
FMEAs, and 93 hardware and 47 EPD&C CILs and PCIs into the NASA 
FMEAs and CILs (Fig. C.26a&b). The IOA and NASA FMEA/CIL 
baselines were com- pared and discussions were held with the NASA 
Subsystem Managers in an effort to resolve the identified issues. 

A majority of the initial hardware issues was resolved; however, 
47 hardware issues, 29 of which concern CIL items or PCIs, 70 
EPD&C issues, 31 of which concern CIL items or PCIs, remain 
unresolved. 

Many of the unresolved EPD&C issues result because of differences 
in interpretation of NSTS 22206 . The NASA/RI definition of redun- 
dancy allowed the selection of specific unrelated failures which 
were required to cause known problems; e.g., failures required 
to cause continuous power to a valve. The IOA redundancy string 
included only items that were capable of performing the specific 
function of the item being analyzed. IOA considers many NASA/RI 
redundancy strings to include multiple unrelated failures. 
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Figure C.26a - OMS HARDWARE ASSESSMENT 
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Figure C.26b - OMS EPD&C ASSESSMENT 
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A number of the unresolved hardware and EPD&C issues involve 
failure modes identified by IOA which are not currently addressed 
on the NASA FMEA/CIL baseline. IOA considers each of these 
failure modes to be credible, and recommends that they be added. 

The remaining unresolved OMS hardware and EPD&C issues result 
because of differences between the IOA and NASA/RI analyses of 
the OMS subsystem, which resulted in criticality, redundancy 
screen, or failure effect differences. 


C. 27 Reaction Control System 

The IOA product for the RCS analysis consisted of 208 hardware 
and 2,064 EPD&C failure mode worksheets that resulted in 141 
hardware and 449 EPD&C PCIs being identified. A comparison was 
made of the IOA product to the NASA FMEA/CIL baseline as of 23 
December 1987, which consisted of 99 hardware and 524 EPD&C FMEAs 
and 62 hardware and 144 EPD&C CIL items. In order to facilitate 
comparison, additional IOA analysis worksheets were generated as 
required. IOA mapped 166 hardware and 597 EPD&C FMEAs, and 133 
hardware and 116 EPD&C CILs and PCIs into the NASA FMEAs and 
CILs (Fig. C.27a&b). After comparison of the IOA baseline to 
the NASA FMEA/CIL baseline and discussions with the NASA 
Subsystem Manager, 96 hardware issues, 83 of which concern CIL 
items or PCIs, and 280 EPD&C issues, 158 of which concern CIL 
items or PCIs, remain unresolved. These categories: NSTS 22206 

interpretation differences, IOA failure modes not currently 
addressed on the NASA FMEA/CIL, and RCS subsystem analysis 
differences . 

One hundred seven (107) of the unresolved EPD&C issues result 
because of differences in interpretation of NSTS 22206 . The 
NASA/RI definition of redundancy allowed the selection of specific 
unrelated failures which were required to cause known problems; 
e.g., failures required to cause continuous power to a valve. The 
IOA redundancy string included only items that were also capable 
of performing the specific function of the item being analyzed. 

IOA considers many NASA/RI redundancy strings to include multiple 
unrelated failures, thus making criticalities too severe or 
masking other critical failures found by IOA. 

One hundred twenty-eight (128) of the unresolved hardware and 
EPD&C issues involve failure modes identified by IOA which are not 
currently addressed on the NASA FMEA/CIL baseline. IOA considers 
each of these failure modes to be credible, and recommends that 
they be added. 

The remaining unresolved RCS issues result because of differences 
between the IOA and NASA/RI analyses of the RCS subsystem. Many 
of these issues are linked to a few general differences in the 
analyses performed by IOA and NASA/RI. For example, 17 of the 
FRCS hardware issues are linked to the fact that IOA considered 
the inability to deplete (dump) FRCS propellant to be critical 
for entry. NASA/RI considered it critical only for ET 
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separation. Six (6) of the ARCS hardware issues result because 
IOA considered any failure which resulted in the loss of primary 
thrusters to be a Crit 1 during RTLS and TAL aborts due to the 
resulting reduced OMS and RCS propellant dump rates. Several of 
the RCS hardware issues are related to failures which result in 
propellant leakage. Per NSTS 22206 . IOA considered any leakage 
of propellant to be critical, regardless of where it occurred. 
NASA/RI did not apply this philosophy to all propellant leakage 
failures. Fifty (50) of the unresolved EPD&C issues result 
because IOA considered the inability to determine the actual 
position of a valve to be a 3/2R. Loss of all redundancy could 
lead to falsely failing the valve closed, thus affecting mission 
operations. NASA/RI classified such failures as 3/3' s. The 
remainder of the unresolved analysis-difference issues exist 
independently and cannot, for the most part, be linked to any 
general differences. 


C. 28 Communication and Tracking 

The IOA analysis of the Communication and Tracking hardware and 
functions resulted initially in generation of 1,039 failure mode 
and effects analysis (FMEA) worksheets with 269 being assigned as 
Potential Critical Items (PCIs) . An IOA and NASA assessment was 
made by comparing 697 NASA FMEA worksheets and 239 Critical 
Items. Discrepancies between the number of IOA and NASA FMEAs 
and CILs prevented a one to one comparison which required 
generation of additional FMEA worksheets to facilitate collation. 
The final IOA count equaled 1,108 FMEAs with 298 PCIs (Fig. 

C. 28) . 

Discrepancies noted between the IOA and NASA FMEA and PCI counts 
were attributed to the following factors: different failure 

modes employed by IOA and NASA, different definition of 
electronic unit and function configurations and component levels, 
based criticality assignments on a certain element of 
subjectivity and interpretation of the NSTS 22206 instructions, 
there were omissions, levels of unlike redundancy were different, 
determinations as to the extent of units function or effects on 
system level f unction were different and contract revision 
requiring early submittal missed revised and new FMEA/CILs . 

Many of the FMEA and PCI analysis differences and issues could 
no doubt have been resolved through discussions with Subsystem 
Managers had the contract not been prematurely cancelled. Also 
many NASA FMEA worksheets were upgraded after the January 1, 1988 
freeze so that much of the assessment was made on initial 
baseline FMEA ' s that did not reflect the latest thinking. The 
most prominent number of PCIs pertained to loss of output and 
loss of all capability to: obtain State Vector Updates, monitor 

movement of the RMS, verify payload bay door closure through 
observation that payload bay door latches did indeed latch, 
perform Ku-band antenna boom stow and verification, maintain 
mission support and obtain NAVAIDS data during night time abort 
landings at unequiped emergency landing sites. 
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APPENDIX D 


Comparison of IOA Findings To Rockwell CIL Packages 


A comparison of IOA recommended CIL items and Rockwell CIL 
Packages is presented in Table D-l. The Rockwell CIL count 
corresponds to 1 March 1988. Individual IOA subsystem CIL counts 
are those that existed at each subsystem assessment completion, 
which occurred from March 1987 through January 1988. 

Consequently, this comparison should be used only as general 
information. 

No comparison is available for FMEAs because the Rockwell review 
packages do not contain this information for all non-CIL items. 

A general comparison of FMEA results is available in Table 1-1 
(page 3) , where the IOA suggested failure modes are compared to 
the NASA baseline. The results shown in the following Table D-l 
do not always resemble those previously presented in Table 1-2 . 
The numbers do not agree in all cases because the Rockwell 
packages do not include GFE such as the RMS, EMU, MMU and OEX. 

In addition, some differences may arise because the IOA baseline 
was frozen on 1 January 1988, while some of the Rockwell reviews 
were still in progress and the numbers fluid. The number of 
issues varied in time in some cases as IOA findings were accepted 
by Rockwell or NASA and incorporated into the program baseline. 
This is documented in Table 1-2, page 4. 
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TABLE D-1 

IOA TO ROCKWELL CIL PACKAGE COMPARISON (INTERIM) 



Fuel Cell Powerplant (FCP) 


Hydraulic Actuators (HA) 


Displays and Control (D&C) 


Guidance, Navigation & Control (GN&C) 


Orbiter Experiments (OEX) 


Auxiliary Power Unit (APU) 


Backup Flight System (BFS) / DPS 


Electrical Power, Distribution & Control (EPD&C) 


Landing & Deceleration (L&D) 


Purge, Vent and Drain (PV&D) 


Pyrotechnics (PYRO) 


Active Thermal Control System (ATCS) and Life 
Support System (LSS) 


Crew Equipment (CE) 


Instrumentation (INST) 


Data Processing System (DPS) - Included in BFS 


Atmospheric Revitalization Pressure Control 
System (ARPCS) 


Hydraulics & Water Spray Boiler (HYD & WSB) 


Mechanical Actuation System (MAS) 


Manned Maneuvering Unit(MMU) 


Nose Wheel Steering (NWS) 


Remote Manipulator System (RMS) 


Atmospheric Revitalization System (ARS) 


Extravehicular Mobility Unit (EMU) 


Rockwell 
CIL Package 
ID 


55 


14,15 


79,80 


61,62 


N/A 


59,60 


83,84 


85 


5,6,7,8,12,13 


2 


108-112 


91-96,99-101 


102,103 


81,82 


89,90 


41,42,97,98 


3,4,16,18-30 


N/A 


9-11 


N/A 


86-88 


N/A 


CIL 


Rockwell** 


22 


Notin IOA Scope 


Totals 


1,17,32-40, 

57,58,76,104, 

107 


Issues 


2 


3 



Power Reactant Supply & Distribution System 
(PRS&D) 

56,105,106 

79 

85 

6 

Main Propulsion System (MPS) 

43-50 

714 

692 

22 

Orbital Maneuvering System (OMS) 

53,54 

140 

111 

29 

Reaction Control System (RCS) 

51,52 

249 

212 

37 

Comm and Tracking (C&T) 

65-75,77,78 

281 

98 

183 



*Asof 1 January 1988 
**Asof 1 March 1988 
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